ON THIS PAGE
Example: Configuring QFabric System Login Classes
This example shows you how to assign the correct login class to users so they can access components within a QFabric system.
Requirements
This example uses the following hardware and software components:
One QFX3000-G QFabric system containing:
Two QFX3100 Director devices
Two QFX3008-I Interconnect devices
Eight QFX3500 Node devices
Junos OS Release 12.2 for these QFX Series components
Eight EX4200 switches, used to make two redundant Virtual Chassis with four members apiece
Junos OS Release 12.1R1.9 for the EX Series switches used in the Virtual Chassis
Before you begin:
Perform the initial setup of the QFabric system on the Director group, which includes the creation of a username and password for the QFabric system components. See Performing the QFabric System Initial Setup on a QFX3100 Director Group.
Overview
The QFabric system offers three special preset login classes that provide different levels of access to individual components within a QFabric system (such as Node devices and Interconnect devices). The qfabric-admin class provides the ability to log in to individual QFabric system components and manage them. The qfabric-operator class enables the user to log in to individual components and view component-level operations and configurations. The qfabric-user class prevents access to individual QFabric system components.
You include these classes in your configuration at the [edit system login user username authentication
remote-debug-permission]
hierarchy level. The key task is to
decide which class you should apply to users based on their need to
access QFabric system components.
To set QFabric system login classes for a root user, include
the remote-debug-permission
statement at the [edit
system root-authentication]
hierarchy level and specify the
qfabric-admin class.
If you assign the qfabric-admin or the qfabric-operator class
to a user, the QFabric system maps the user to a list of authorized
users who are permitted to access components. To facilitate ease of
use, the QFabric system uses the component password you specified
during the initial setup of the Director group. When users assigned
the qfabric-admin or the qfabric-operator class log in to a component
by issuing the request component login
operational mode
command, the QFabric system verifies the class and sends the username
and password to the component. The component accepts these credentials
and permits access.
The three QFabric system login classes give access to the components only. To provide access to the QFabric system as a whole through the default partition command-line interface (CLI), you must configure the usual Junos OS login classes or permissions (such as the super-user class). For more information about login classes, see Junos OS Login Classes Overview.
If you have completed the QFabric system initial setup and the system is operational, you can change the component password by issuing the
device-authentication
statement at the[edit system]
hierarchy level in the QFabric default partition CLI.
Topology
This example defines three users: Adam, Oscar, and Ulf. Adam needs to manage QFabric system components, Oscar needs limited access, and Ulf should not have any access to the components. As a result, assign the qfabric-admin class to Adam, the qfabric-operator class to Oscar, and the qfabric-user class to Ulf. However, all three users should have all permissions to access the QFabric system CLI.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level.
set system login class all-qfabric permissions all set system login user Adam class all-qfabric set system login user Adam authentication encrypted-password "$1$aoYSFkvE$G/dYqsTV5iSvVW2sND69U." set system login user Adam authentication remote-debug-permission qfabric-admin set system login user Oscar class all-qfabric set system login user Oscar authentication encrypted-password "$1$3e.3wJQ8$31SrzV0.efdRbk.ZJncKm0" set system login user Oscar authentication remote-debug-permission qfabric-operator set system login user Ulf class all-qfabric set system login user Ulf authentication encrypted-password "$1$qt9Ncm0o$okNYSN8O4fVITE/SHBdYj0" set system login user Ulf authentication remote-debug-permission qfabric-user
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To provide the same access to the QFabric system CLI for all users, but different QFabric system component-level access to different users:
Define and provide all-qfabric access and passwords to all three users. This administrator-defined class provides full permissions, enabling the users to log in to the QFabric system default partition and use the CLI. Alternatively, you can assign the super-user class to these users to accomplish the same goal.
[edit] user@qfabric# set system login class all-qfabric permissions all user@qfabric# set system login user Adam class all-qfabric user@qfabric# set system login user Adam authentication encrypted-password "$1$aoYSFkvE$G/dYqsTV5iSvVW2sND69U." user@qfabric# set system login user Oscar class all-qfabric user@qfabric# set system login user Oscar authentication encrypted-password "$1$3e.3wJQ8$31SrzV0.efdRbk.ZJncKm0" user@qfabric# set system login user Ulf class all-qfabric user@qfabric# set system login user Ulf authentication encrypted-password "$1$qt9Ncm0o$okNYSN8O4fVITE/SHBdYj0"
Provide qfabric-admin component access to Adam so he can manage QFabric system components.
[edit] user@qfabric# set system login user Adam authentication remote-debug-permission qfabric-admin
Provide qfabric-operator component access to Oscar so he can view the CLI at the QFabric system components.
[edit] user@qfabric# set system login user Oscar authentication remote-debug-permission qfabric-operator
Assign qfabric-user component restrictions to Ulf to prevent him from accessing the QFabric system components.
[edit] user@qfabric# set system login user Ulf authentication remote-debug-permission qfabric-user
Results
From configuration mode, confirm your configuration
by entering the show
command. If the output does not display
the intended configuration, repeat the configuration instructions
in this example to correct it.
For brevity, this show
command output includes only
the configuration that is relevant to this example.
[edit] system { login { class all-qfabric { permissions all; } user Adam { class all-qfabric; authentication { encrypted-password "$1$aoYSFkvE$G/dYqsTV5iSvVW2sND69U."; ## SECRET-DATA remote-debug-permission qfabric-admin; } } user Oscar { class all-qfabric; authentication { encrypted-password "$1$3e.3wJQ8$31SrzV0.efdRbk.ZJncKm0"; ## SECRET-DATA remote-debug-permission qfabric-operator; } } user Ulf { class all-qfabric; authentication { encrypted-password "$1$qt9Ncm0o$okNYSN8O4fVITE/SHBdYj0"; ## SECRET-DATA remote-debug-permission qfabric-user; } } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Confirm that the QFabric system and component-level access configuration is working properly for all three users. Adam, Oscar, and Ulf should have equivalent, full-permission access to the QFabric system CLI. Adam should have management-level access to components. Oscar should have read-only access to components. Ulf should have no component-level access.
Verifying qfabric-admin Access
Purpose
Verify that Adam can access the QFabric system CLI at the default partition and manage QFabric system components.
Action
From a management station on your network, issue the ssh user@qfabric
command and enter the
password to open an SSH session for Adam to the QFabric system. Issue
the ?
command to view the CLI operational mode commands
that Adam has permission to use on the QFabric system default partition.
> ssh Adam@qfabric.network.net Warning: Permanently added 'qfabric.network.net' (RSA) to the list of known hosts. Adam@qfabric.network.net's password: Last login: Sun Nov 20 14:12:29 2011 from 192.168.28.19 Juniper QFabric Director 11.3.5510 2011-10-21 16:31:44 UTC RUNNING ON DIRECTOR DEVICE : dg0 Adam@qfabric> Adam@qfabric> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
Issue the request component login ?
command to view
the components that Adam can access. Next, issue the request
component login component-name
command
to log in to a Node device without being prompted for a username or
password.
Adam@qfabric> request component login ? Possible completions: <[Enter]> Execute this command <node-name> Inventory name for the remote node BBAK0372 Node device BBAK0394 Node device DRE-0 Diagnostic routing engine EE3093 Node device FC-0 Fabric control FC-1 Fabric control FM-0 Fabric manager NW-NG-0 Node group WS001/RE0 Interconnect device control board WS001/RE1 Interconnect device control board | Pipe through a command Adam@qfabric> request component login EE3093 Warning: Permanently added 'qfnode-ee3093,169.254.128.14' (RSA) to the list of known hosts. --- JUNOS 11.3I built 2011-11-04 12:46:16 UTC {master}
Finally, issue the ?
command to view the CLI operational
mode commands that Adam has the permission to use on the Node device.
Notice that the CLI prompt now indicates Adam’s component access
level (qfabric-admin
) as the username
and the Node device identifier (EE3093
) as the host.
qfabric-admin@EE3093> ? Possible completions: clear Clear information in the system file Perform file operations help Provide help information load Load information from file monitor Show real-time debugging information mtrace Trace multicast path from source to receiver op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information ssh Start secure shell on another host start Start shell telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
Meaning
The output shows that Adam has received the proper permissions to access the QFabric system CLI and log in to individual components with management-level access.
Verifying qfabric-operator Access
Purpose
Verify that Oscar can access the QFabric system CLI at the default partition and view the CLI on the QFabric system components.
Action
From a management station on your network, issue the ssh user@qfabric
command and enter the
password to open an SSH session for Oscar to the QFabric system. Issue
the ?
command to view the CLI operational mode commands
that Oscar has permission to use on the QFabric system default partition.
Notice that these permissions are the same as those given to Adam.
> ssh Oscar@qfabric.network.net Warning: Permanently added 'qfabric.network.net' (RSA) to the list of known hosts. Oscar@qfabric.network.net's password: Last login: Sun Nov 19 19:21:29 2011 from 192.168.28.14 Juniper QFabric Director 11.3.5510 2011-10-22 18:33:41 UTC RUNNING ON DIRECTOR DEVICE : dg1 Oscar@qfabric> Oscar@qfabric> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
Issue the request component login component-name
command to log in to a Node device without being prompted
for a username or password.
Oscar@qfabric> request component login EE3093 Warning: Permanently added 'qfnode-ee3093,169.254.128.14' (RSA) to the list of known hosts. --- JUNOS 11.3I built 2011-11-04 12:46:16 UTC {master}
Finally, issue the ?
command to view the CLI operational
mode commands that Oscar has permission to use on the Node device.
Notice that the CLI prompt now indicates Oscar’s component access
level (qfabric-operator
) as the username
and the Node device identifier (EE3093
) as the host. Additionally, Oscar has fewer CLI commands available
than Adam because of Oscar’s read-only qfabric-operator login
class.
qfabric-operator@EE3093> ? Possible completions: file Perform file operations help Provide help information load Load information from file op Invoke an operation script quit Exit the management session request Make system-level requests save Save information to file set Set CLI properties, date/time, craft interface message show Show system information start Start shell test Perform diagnostic debugging
Meaning
The output shows that Oscar has full permissions to access the QFabric system CLI, but only read-only access when he logs in to individual components. Oscar’s permissions on the QFabric system are the same as Adam’s, but Oscar has fewer permissions than Adam on the Node device.
Verifying qfabric-user Access
Purpose
Verify that Ulf has full access to the QFabric system CLI at the default partition but cannot access the QFabric system components.
Action
From a management station on your network, issue the ssh user@qfabric
command and enter the
password to open an SSH session for Ulf to the QFabric system. Issue
the ?
command to view the CLI operational mode commands
that Ulf has permission to use on the QFabric system default partition.
Notice that these permissions are the same as those given to Adam
and Oscar.
> ssh Ulf@qfabric.network.net Warning: Permanently added 'qfabric.network.net' (RSA) to the list of known hosts. Ulf@qfabric.network.net's password: Last login: Sun Nov 17 17:12:24 2011 from 192.168.28.22 Juniper QFabric Director 11.3.5510 2011-10-23 19:23:31 UTC RUNNING ON DIRECTOR DEVICE : dg0 Ulf@qfabric> Ulf@qfabric> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file op Invoke an operation script ping Ping remote target quit Exit the management session request Make system-level requests restart Restart software process save Save information to file set Set CLI properties, date/time, craft interface message show Show system information telnet Telnet to another host test Perform diagnostic debugging traceroute Trace route to remote host
When Ulf issues the request component login component-name
command, the Node device denies his access attempt.
Ulf@qfabric> request component login EE3093 error: User Ulf does not have sufficient permissions to login to device EE3093
Meaning
The output shows that Ulf has full permissions to access the QFabric system CLI in the same way as Adam and Oscar. However, unlike Adam and Oscar, Ulf cannot access individual components because of the qfabric-user login class assigned to him.