Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring User Access Controls Overview

Junos Space Network Management Platform provides a robust user access control mechanism system that you use to enforce appropriate access policies on the Junos Space system through your Junos Space administrators. In Junos Space, administrators can serve different functional roles. A CLI administrator installs and configures Junos Space appliances. A Maintenance-mode administrator performs system-level tasks, such as troubleshooting and database restoration operations. After the appliances are installed and configured, you can create users and assign roles that allow these users to access the Junos Space Platform workspaces and manage the applications, users, devices, services, customers, and so forth.

Table 1 shows the Junos Space administrators and the tasks that can be performed.

Table 1: Junos Space Administrators
Junos Space Administrator Function Description Tasks

CLI administrator

An administrator responsible for setting up and managing system settings for Junos Space appliances from the serial console

The CLI administrator name is admin.

The CLI administrator password can be changed from the console system settings menu.

  • Install and configure basic settings for Junos Space appliances.

  • Change network and system settings for appliances, for example:

    • Change the CLI administrator password.

    • Modify routing parameters.

    • Modify DNS server settings.

    • Change time zone and NTP server settings.

    • Expand the VM drive size (Junos Space Virtual Appliances only).

    • Retrieve log files for troubleshooting.

Maintenance-mode administrator

An administrator responsible for performing system-level maintenance on Junos Space Network Management Platform

The Maintenance-mode administrator name is maintenance.

The Maintenance-mode password is configured from the serial console when you first configure a Junos Space appliance.

  • Restore Junos Space Network Management Platform to its previous state by using a database backup file.

  • Shut down Junos Space nodes by entering Maintenance mode.

  • Retrieve log files for troubleshooting.

  • Exit Maintenance mode and explicitly start up the Junos Space system.

Junos Space user interface users

A Junos Space user that is assigned one or more predefined roles. Each role assigned to a user provides specific access and management privileges on the objects (applications, devices, users, jobs, services, and customers) available from a workspace in the Junos Space user interface.

For more information about the predefined roles that can be assigned to a Junos Space user, see Configuring User Access Controls Overview.

You can configure user access control by:

  • Deciding how users will be authenticated and authorized to access Junos Space Platform

  • Segregating users based on the system functionality they are allowed to access. You can assign a different set of roles to different users. Junos Space Network Management Platform includes more than 25 predefined user roles and allows you to create custom roles that are based on the needs of your organization. When a user logs in to Junos Space, the workspaces that the user can access and the tasks that they can perform are determined by the roles that have been assigned to that particular user account.

  • Segregating users based on the domains that they are allowed to access. You can use the Domains feature in Junos Space to assign users and devices to the global domain and create subdomains, and then assign users to one or more of these domains. A domain is a logical grouping of objects, which can include devices, templates, users, and so on. When a user logs in to Junos Space, the set of objects that they are allowed to see is based on the domains to which that user account has been assigned.

    You can use multiple domains to separate large, geographically distant systems into smaller, more manageable sections and control administrative access to individual systems. You can assign domain administrators or users to manage devices and objects that are assigned to their domains. You can design the domain hierarchy in such a way that a user assigned to one domain need not necessarily have access to objects in another domain. You can even restrict users assigned to a domain from viewing objects that are in the parent domain (in Junos Space Release 13.3, from viewing the objects in the global domain).

    For example, a small organization might have only one domain (the global domain) for their entire network, whereas a large, international organization might have several subdomains within the global domain to represent each of its regional office networks across the world.

The following sections describe how to configure a user access control mechanism:

Authentication and Authorization Mode

The first decision to be made is regarding the mode of authentication and authorization that you want. The default mode in Junos Space is local authentication and authorization, which means that you must create user accounts in the Junos Space database with a valid password and assign a set of roles assigned to those accounts. User sessions are authenticated based on this password, and the set of roles assigned to the user account determine the set of tasks the user can perform.

If your organization relies on a set of centralized authentication, authorization, and accounting (AAA) servers, you can configure Junos Space to work with these servers by navigating to the Authentication Servers page in the Administration workspace (Network Management Platform > Administration).

Note:
  • You must have Super Administrator or System Administrator privileges to configure Junos Space to work with these servers.

  • You need to know the IP addresses, port numbers, and shared secrets of the remote AAA servers for configuring Junos Space to access them. We recommend that you use the Connection button to test the connection between Junos Space and the AAA server as soon as you add the server in Junos Space. This immediately lets you know whether there is any problem with the configured IP address, port, or credentials.

  • You can configure an ordered list of AAA servers. Junos Space contacts them in the order you configured; the second server is contacted only if the first one is unreachable, and so on.

  • You can configure RADIUS or TACACS+ servers over Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). You are allowed to have a mix of RADIUS and TACACS+ servers in the ordered list of AAA servers that Junos Space maintains.

  • There are two modes of remote authentication and authorization: remote-only and remote-local.

    • remote-only—Authentication and authorization are performed by a set of remote AAA servers (RADIUS or TACACS+).

    • remote-local—In this case, when a user is not configured on the remote authentication servers, when the servers are unreachable, or when the remote servers deny the user access, then the local password is used if such a local user exists in the Junos Space database.

If you are using remote-only mode, you do not have to create any local user accounts in Junos Space. Instead, you must create user accounts in the AAA servers that you use and associate a remote profile name to each user account. A remote profile is a collection of roles that define the set of functions that a user is allowed to perform in Junos Space. You create the remote profiles in Junos Space. For more information about remote profiles, see Remote Profiles. Remote profile names can be configured as a vendor-specific attribute (VSA) in RADIUS and as an attribute-value pair (AVP) in TACACS+. When an AAA server successfully authenticates a user session, the remote profile name is included in the response message that is sent back to Junos Space. Junos Space looks up the remote profile based on this remote profile name and determines the set of functions that the user is allowed to perform.

Even in the case of remote-only mode, you might want to create local user accounts in Junos Space in either of the following cases:

  • You want to ensure that a user is allowed to log in to Junos Space even if all the AAA servers are down. In this case, if a local user account exists in the Junos Space database, the user session is authenticated and authorized based on the local data. You might choose to do this for a few important user accounts for whom you want to ensure access even in this scenario.

  • You want to use device partitions to partition a device into subgroups and assign these subobjects to different users. You use device partitions to share the physical interfaces, logical interfaces, and physical inventory elements across multiple subdomains. Device partitions are supported only on M Series and MX Series routers. For more information, see the Creating Device Partitions topic in the Junos Space Network Management Platform Workspaces User Guide.

For more information about user authentication, see the Junos Space Authentication Modes Overview topic (in the Junos Space Network Management Platform Workspaces User Guide).

Certificate–Based and Certificate Parameter–Based Authentication

Junos Space Network Management Platform supports certificate–based and certificate parameter–based authentication for a user. Starting from Release 15.2R1, you can also authenticate users in certificate parameter–based authentication mode. With certificate–based and certificate parameter–based authentication, instead of authenticating a user based on the user’s credentials, you can authenticate a user based on the user’s certificate and certificate parameters. These authentication modes are considered more secure than password-based authentication. With certificate parameter–based authentication, you can define a maximum of four parameters that are authenticated during the log in process. Certificate–based and certificate parameter–based authentication over an SSL connection can be used to authenticate and authorize sessions among various servers and users. These certificates can be stored on a smart card, a USB drive, or a computer’s hard drive. The users typically swipe their smart card to log in to the system without entering their username and password.

For more information about certificate–based and certificate parameter–based authentication, see the Certificate Management Overview topic in the Junos Space Network Management Platform Workspaces Feature Guide.

User Roles

When configuring Junos Space, you must decide how you want to segregate users based on the system functionality that users are allowed to access. You do this by assigning a different set of roles to different users. A role defines a collection of workspaces that a Junos Space user is allowed to access and a set of actions that the user is allowed to perform within each workspace. To evaluate the predefined user roles that the Junos Space Network Management Platform supports, navigate to the Roles page (Network Management Platform > Role Based Access Control > Roles). In addition, every Junos Space application that is installed on the Junos Space Network Management Platform has its own predefined user roles. The Roles page lists all existing Junos Space application roles, their descriptions, and the tasks that are included in each role.

If the default user roles do not meet your needs, you can configure custom roles by navigating to the Create Role page (Network Management Platform > Role Based Access Control > Roles > Create Role). To create a role, you select the workspaces that a user with this role is allowed to access, and for each workspace, choose the set of tasks that the user can perform from that workspace.

Note:

You might need to go through several iterations of creating user roles to arrive at the optimal set of user roles that your organization needs.

After the user roles are defined, they can be assigned to various user accounts (in the case of local user accounts created in Junos Space) or assigned to remote profiles to be used for remote authorization.

For more information about configuring user roles, see the Role-Based Access Control Overview topic (in the Junos Space Network Management Platform Workspaces User Guide).

Remote Profiles

Remote profiles are used in the case of remote authorization. A remote profile is a collection of roles defining the set of functions that a user is allowed to perform in Junos Space. There are no remote profiles created by default, and you need to create them by navigating to the Create Remote Profile page (Network Management Platform > Role Based Access Control > Remote Profiles > Create Remote Profile). When creating a remote profile, you need to select one or more roles that belong to it. Then you can configure the name of the remote profile for one or more user accounts in the remote AAA servers.

When an AAA server successfully authenticates a user session, the AAA server includes the configured remote profile name for that user in the response message that comes back to Junos Space. Junos Space looks up the remote profile based on this name and determines the set of roles for the user. Junos Space then uses this information to control the set of workspaces the user can access and the tasks the user is allowed to perform.

Note:

If you decide to use local authorization along with remote authentication, you do not need to configure any remote profiles. In this case, you must create local user accounts and assign roles to these user accounts. The configured AAA servers perform authentication, and for each authenticated session, Junos Space performs the authorization based on the roles configured locally for the user account in the database.

For more information about creating remote profiles, see the Creating a Remote Profile topic (in the Junos Space Network Management Platform Workspaces User Guide).

Domains

You can add, modify, or delete a domain from the Domains page (Role Based Access Control > Domains). This page is accessible only when you are logged in to the global domain, which means that you can add, modify, or delete a domain only from the global domain. By default, any domain you create is added under the global domain. When you add a domain, you can choose to allow users in this domain to have read-only access to the parent domain. If you choose to do so, then all users in the subdomain can view objects of the parent domain in read-only mode.

Note:

Only two levels of hierarchy are supported: the global domain and any other domains that you might add under the global domain.

For more information about managing domains, see the Domains Overview topic (in the Junos Space Network Management Platform Workspaces User Guide).

User Accounts

You need to create user accounts in Junos Space in the following cases:

  • To perform local authentication and authorization—You create user accounts in Junos Space. Each user account must contain a valid password and a set of user roles. To create user accounts, navigate to the Create User page (Network Management Platform > Role Based Access Control> User Accounts > Create User).

  • To perform remote authentication and local authorization—You create a user account for each user of the system and ensure that a set of roles is assigned to each user account. It is not mandatory to enter a password for the user accounts because authentication is performed remotely.

  • To perform remote authentication and authorization and allow certain users to be able to access Junos Space even if all AAA servers are down or are not reachable from Junos Space—You create local user accounts for these users with a valid password. The system forces you to configure at least one role for these users. However, authorization is performed based on the remote profile name that the AAA server provides.

  • To perform remote authentication and authorization but also override remote authentication failures for specified users and allow them to access Junos Space— A typical scenario would be when you need to create a new Junos Space user but do not have immediate access to configure the user on the remote AAA servers. You must create local user accounts for such users with a valid password and a valid set of roles.

  • To perform remote authentication and authorization but also segregate devices among users based on domains—Because domains must be assigned to user objects in Junos Space, you must create remote profiles in Junos Space and assign roles and domains to those profiles.

    Note:

    If you decide to use local authorization along with remote authentication, you do not need to configure any remote profiles. In this case, you must create local user accounts and assign roles to these user accounts. The configured AAA servers perform authentication, and for each authenticated session, Junos Space performs the authorization based on the roles configured locally for the user account in the database.

Note:

Junos Space enforces certain rules for valid passwords. You configure these rules as part of the Network Management Platform settings from the Applications page (Network Management Platform > Administration > Applications). Right-click the application and select Modify Application Settings. Then select Password on the left side of the window. On the subsequent page, you can view and modify the current settings.

For more information about creating user accounts, see the Creating Users in Junos Space Network Management Platform topic (in the Junos Space Network Management Platform Workspaces User Guide).

Device Partitions

You can partition a device from the Devices page (Network Management Platform > Devices > Device Management). You can partition a device into subgroups and then assign these subobjects to different users by assigning the partitions to different domains. Only one partition of a device can be assigned to a domain.

Note:

Device partitions are supported only on M Series and MX Series routers.

For more information about device partitions, see the Creating Device Partitions topic (in the Junos Space Network Management Platform Workspaces User Guide).

Release History Table
Release
Description
15.2R1
Starting from Release 15.2R1, you can also authenticate users in certificate parameter–based authentication mode.