Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Login Settings

Junos OS Evolved enables you to define various settings for users when they log in to a device. You (the system administrator) can configure:

  • Messages or announcements to display before or after login
  • Whether to display system alarms upon login
  • Login tips
  • Timeout values for idle sessions
  • Whether to lock a user account after a number of failed authentication attempts

Display a System Login Announcement or Message

Sometimes you want to make announcements only to authorized users after they log in to a device. For example, you might want to announce an upcoming maintenance event. At other times, it might be appropriate to display a message, such as a security warning, to any user that connects to the device.

By default, Junos OS Evolved does not display any login message or announcement. You can configure the device to display a login message or announcement by including the message statement or the announcement statement at the [edit system login] hierarchy level. Whereas the device displays a login message after a user connects to the device but before the user logs in, it displays an announcement only after the user successfully logs in to the device.

You can format the message or announcement text using the following special characters. If the text contains spaces, enclose it in quotation marks:

  • \n—New line

  • \t—Horizontal tab

  • \'—Single quotation mark

  • \"—Double quotation mark

  • \\—Backslash

To configure an announcement that only authorized users can see and a message that any user can see:

  1. Include the announcement statement and the message statement at the [edit system login] hierarchy level.

    For example:

  2. Commit the configuration.
  3. Connect to the device to verify the presence of the new message.

    The preceding configuration example displays the following login message after the user connects to the device. The example displays the announcement after the user logs in:

Display System Alarms Upon Login

You can configure Juniper Networks devices to execute the show system alarms command whenever a user in a given login class logs in to the device.

To display alarms whenever a user in a specific login class logs in to the device:

  1. Configure the login-alarms statement for the appropriate login class.

    For example, to display alarms whenever a user in the admin login class logs in to the device:

  2. Commit the configuration.

When a user in the given login class logs in to the device, the device displays the current alarms.

Configure Login Tips

You can configure the Junos OS Evolved CLI to display a tip whenever a user in the given login class logs in to the device. The device does not display tips by default.

To enable tips:

  1. Configure the login-tip statement at the [edit system login class class-name] hierarchy level.
  2. Commit the configuration.

When you configure the login-tip statement, the device displays a tip to any user in the specified class who logs in to the device.

Configure the Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI displays the operational mode or configuration mode prompt but there is no input from the keyboard. By default, a login session remains established until a user logs out of the device, even if that session is idle. To close idle sessions automatically, you must configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes. Automatically closing idle login sessions helps to prevent malicious users from gaining access to the device and performing operations with an authorized user account.

You can configure an idle timeout only for user-defined classes. You cannot configure this option for the system predefined classes: operator, read-only, super-user or superuser, and unauthorized.

To define the timeout value for idle login sessions:

  1. Specify the number of minutes that a session can be idle before the system automatically closes the session.

    For example, to automatically disconnect idle sessions of users in the admin class after fifteen minutes:

  2. Commit the configuration.

If you configure a timeout value, the CLI displays messages similar to the following when timing out an idle user. The CLI starts displaying these messages 5 minutes before disconnecting the user.

If you configure a timeout value, the session closes after the specified time elapses, except in the following cases:

  • The user is running the ssh or telnet command.

  • The user is logged into the local UNIX shell.

  • The user is monitoring interfaces using the monitor interface or the monitor traffic command.

Login Retry Options

You can configure login retry options on Juniper Network devices to protect the devices from malicious users. You can configure the following options:

  • The number of times a user can enter invalid login credentials before the system closes the connection.

  • Whether and for how long to lock a user account after the user reaches the threshold of failed authentication attempts.

Limiting the login attempts and locking the user account help to protect the device from malicious users attempting to access the system by guessing the password of an authorized user account. You can unlock the user account or define a time period for the user account to remain locked.

You configure login retry options at the [edit system login retry-options] hierarchy level. Junos OS Evolved allows three unsuccessful login attempts before the device disconnects the user. You cannot modify the default threshold for failed login attempts.

The lockout-period statement instructs the device to lock the user account for the specified amount of time if the user reaches the threshold of unsuccessful login attempts. The lock prevents the user from performing activities that require authentication, until the lockout time period has elapsed or a system administrator manually clears the lock. Any existing locks are ignored when the user attempts to log in from the local console.

To configure login retry options:

  1. Configure the number of minutes that the user account remains locked after a user reaches the threshold of failed login attempts.

    For example, to lock a user account for 120 minutes after a user reaches the threshold of failed login attempts:

  2. Commit the configuration.

Note:

To clear the console during an administrator-initiated logout, include newline (\n) characters when you configure the message statement at the [edit system login] hierarchy level. To completely clear the console, the administrator can enter 50 or more \n characters in the message string. For example: