junos® os user access and authentication user guide · 2020-03-26 · monitoringcertificates|226...

Junos® OS

User Access and AuthenticationUser Guide

Published

2020-03-26

Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. All other trademarks, service marks, registered marks, or registered service marksare the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the rightto change, modify, transfer, or otherwise revise this publication without notice.

Junos® OS User Access and Authentication User GuideCopyright © 2020 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-relatedlimitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)Juniper Networks software. Use of such software is subject to the terms and conditions of the EndUser License Agreement(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, youagree to the terms and conditions of that EULA.

ii

https://support.juniper.net/support/eula/

User Accounts2Junos OS User Accounts | 57

Junos OS User Accounts Overview | 57

Junos-FIPS Crypto Officer and User Accounts Overview | 59

Crypto Officer User Configuration | 60

FIPS User Configuration | 60

Example: Configuring User Accounts | 60

Example: Configuring New Users | 61

Configuring Junos OS User Accounts by Using a Configuration Group | 68

Junos OS Administrative Roles | 71

Understanding Administrative Roles | 72

Example: Configuring Administrative Roles | 74

Configuring a Local Administrator Account | 82

Junos OS User Access Privileges | 83

Understanding Junos OS Access Privilege Levels | 84

Junos OS Login Class Permission Flags | 84

Allowing or Denying Individual Commands for Junos OS Login Classes | 88

Example: Configuring User Permissions with Access Privilege Levels | 89

Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,Configuration Statements, and Hierarchies | 94

Understanding Regular Expressions | 94

Specifying Regular Expressions | 97

Regular Expressions Operators | 99

Regular Expression Examples | 102

Examples of Defining Access Privileges Using allow-configuration and deny-configurationStatements | 105

Example: Using Additive Logic With Regular Expressions to Specify Access Privileges | 108

Example: Configuring User Permissions with Access Privileges for Operational ModeCommands | 111

Example: Configuring User Permissions with Access Privileges for Configuration Statementsand Hierarchies | 126

iv

Passwords for User Access3Root Password | 142

Configuring the Root Password | 142

Example: Configuring a Plain-Text Password for Root Logins | 144

Example: Configuring SSH Authentication for Root Logins | 147

Recovering Root Password | 148

Recovering the Root Password on Routers | 148

Recovering the Root Password on Junos OS with Upgraded FreeBSD | 151

Recovering the Root Password for Junos OS Evolved | 154

Connecting to the Serial Port | 154

Recovering the Root Password | 156

Recovering the Root Password on Switches | 158

Plain-Text Passwords | 161

Changing the Requirements for Junos OS Plain-Text Passwords | 161

Example: Changing the Requirements for Junos OS Plain-Text Passwords | 162

Master Password for Configuration Encryption | 164

Hardening Shared Secrets in Junos OS | 165

Understanding Hardening Shared Secrets | 165

Using Trusted Platform Module to Bind Secrets on SRX Series Devices | 167

Limitations | 168

Configuring Master Encryption Password | 168

Verifying the Status of the TPM | 169

Changing the Master Encryption Password | 169

User Authentication4Junos OS User Authentication Overview | 172

Junos OS User Authentication Methods | 172

Configuring Local User Template Accounts for User Authentication | 173

Configuring Remote Template Accounts for User Authentication | 175

Example: Creating Template Accounts | 176

Understanding Remote Authentication Servers | 180

v

Local Password Authentication with Remote Authorization on TACACS+ Server | 181

Authentication Order for RADIUS, TACACS+, and Local Password | 182

Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication | 182

Using RADIUS or TACACS+ Authentication | 183

Using Local Password Authentication | 183

Order of Authentication Attempts | 184

Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local PasswordAuthentication | 189

Example: Configuring Authentication Order | 191

Example: Configuring System Authentication for RADIUS, TACACS+, and PasswordAuthentication | 194

RADIUS Authentication | 197

Configuring RADIUS Server Authentication | 197

Why Use RADIUS | 198

Configuring RADIUS Server Details | 198

Configuring RADIUS To Use the Management Instance | 202

Example: Configuring a RADIUS Server for System Authentication | 203

Example: Configuring RADIUS Authentication | 206

Configuring RADIUS Authentication (QFX Series or OCX Series) | 208

Configuring RADIUS Server Details | 209

Configuring MS-CHAPv2 for Password-Change Support | 210

Specifying a Source Address for the Junos OS to Access External RADIUS Servers | 211

Juniper Networks Vendor-Specific RADIUS Attributes | 211

Juniper-Switching-Filter VSA Match Conditions and Actions | 215

Understanding RADIUS Accounting | 218

Configuring RADIUS System Accounting | 219

Configuring Auditing of User Events on a RADIUS Server | 219

Specifying RADIUS Server Accounting and Auditing Events | 220

Configuring RADIUS Server Accounting | 220

RADIUS over TLS (RADSEC) | 223

Configure the RADSEC Destination | 224

Configure TLS Connection Parameters | 225

Example: Simple RADSEC Configuration | 226

vi

Monitoring Certificates | 226

Monitoring RADSEC Destinations | 227

TACACS+ Authentication | 227

Configuring TACACS+ Authentication | 228

Configuring TACACS+ Server Details | 228

Configuring TACACS+ to Use the Management Instance | 230

Specifying a Source Address for the Junos OS to Access External TACACS+ Servers | 230

Configuring the Same Authentication Service for Multiple TACACS+ Servers | 231

Configuring Juniper Networks Vendor-Specific TACACS+ Attributes | 231

Example: Configuring a TACACS+ Server for System Authentication | 232

Configuring Periodic Refresh of the TACACS+ Authorization Profile | 235

Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access toCommands | 237

Juniper Networks Vendor-Specific TACACS+ Attributes | 240

Configuring TACACS+ System Accounting | 242

Specifying TACACS+ Auditing and Accounting Events | 243

Configuring TACACS+ Server Accounting | 243

Configuring TACACS+ To Use the Management Instance | 245

Configuring TACACS+ Accounting on a TX Matrix Router | 246

Authentication for Routing Protocols | 247

Junos OS Authentication Methods for Routing Protocols | 247

Example: Configuring the Authentication Key for BGP and IS-IS Routing Protocols | 248

Configuring BGP | 248

Configuring IS-IS | 249

Configuring the Authentication Key Update Mechanism for BGP and LDP RoutingProtocols | 250

Configuring Authentication Key Updates | 251

Configuring BGP and LDP for Authentication Key Updates | 251

Remote Access Management5Remote Access Overview | 254

System Services Overview | 254

Configuring Telnet Service for Remote Access to a Router or Switch | 255

Configuring FTP Service for Remote Access to the Router or Switch | 256

vii

Configuring Finger Service for Remote Access to the Router | 257

Configuring SSH Service for Remote Access to the Router or Switch | 257

Configuring the Root Login Through SSH | 259

Configuring Incoming SFTP Connections | 260

Configuring the SSH Protocol Version | 260

Configuring the Client Alive Mechanism | 261

Configuring the SSH Fingerprint Hash Algorithm | 261

The telnet Command | 262

The ssh Command | 263

Configuring SSH Host Keys for Secure Copying of Data | 264

Configuring SSH Known Hosts | 265

Configuring Support for SCP File Transfer | 266

Updating SSH Host Key Information | 266

Configuring the SSH Service to Support Legacy Cryptography | 268

Configuring Outbound SSH Service | 270

Configuring the Device Identifier for Outbound SSH Connections | 271

Sending the Public SSH Host Key to the Outbound SSH Client | 271

Configuring Keepalive Messages for Outbound SSH Connections | 272

Configuring a New Outbound SSH Connection | 273

Configuring the Outbound SSH Client to Accept NETCONF as an Available Service | 273

Configuring Outbound SSH Clients | 273

Configuring Routing Instances for Outbound SSH Clients | 274

Configuring NETCONF-Over-SSH Connections on a Specified TCP Port | 274

Configuring Password Retry Limits for Telnet and SSH Access | 275

Example: Configuring a Filter to Block Telnet and SSH Access | 276

USB Modems for Remote Management of Security Devices | 284

USB Modem Interface Overview | 284

USB Modem Interfaces | 285

Dialer Interface Rules | 285

How the Device Initializes USB Modems | 286

USB Modem Configuration Overview | 287

Example: Configuring a USB Modem Interface | 290

Example: Configuring a Dialer Interface | 293

viii

Example: Configuring a Dialer Interface for USB Modem Dial-In | 298

Configuring a Dial-Up Modem Connection Remotely | 300

Connecting to the Device Remotely | 302

Modifying USB Modem Initialization Commands | 302

Resetting USB Modems | 303

Secure Web Access for Remote Management | 304

Secure Web Access Overview | 304

Generating SSL Certificates for Secure Web Access (SRX Series Devices) | 305

Generating SSL Certificates to Be Used for Secure Web Access (EX Series Switch) | 306

Generating a Self-Signed SSL Certificate Automatically | 307

Manually Generating Self-Signed SSL Certificates | 307

Deleting Self-Signed Certificates (CLI Procedure) | 308

Understanding Self-Signed Certificates on EX Series Switches | 308

Manually Generating Self-Signed Certificates on Switches (CLI Procedure) | 310

Generating a Public-Private Key Pair on Switches | 310

Generating Self-Signed Certificates on Switches | 311

Example: Configuring Secure Web Access | 311

Example: Controlling Management Access on SRX Series Devices | 314

Configuration Guidelines for Securing Console Port Access | 319

Securing Console Port | 319

Securing Mini-USB Ports | 321

Configuring the Console Port Type (CLI Procedure) | 322

Access Control on Switches6Access Control and Authentication on Switching Devices | 326

Understanding Authentication on Switches | 326

Sample Authentication Topology | 327

802.1X Authentication | 329

MAC RADIUS Authentication | 330

Captive Portal Authentication | 331

Static MAC Bypass of Authentication | 331

ix

Fallback of Authentication Methods | 332

Understanding Access Control on Switches | 333

Understanding Authentication Session Timeout | 335

Controlling Authentication Session Timeouts (CLI Procedure) | 336

Preventing Unauthorized Access to EX Series Switches Using Unattended Mode forU-Boot | 338

Understanding Unattended Mode for U-Boot on EX Series Switches | 338

Using Unattended Mode for U-Boot to Prevent Unauthorized Access | 340

Configuring the Boot Loader Password | 341

Configuring Unattended Mode for U-Boot | 342

Accessing the U-Boot CLI | 342

RADIUS Server Configuration for Authentication | 343

Specifying RADIUS Server Connections on Switches (CLI Procedure) | 344

Configuring MS-CHAPv2 to Provide Password-Change Support (CLI Procedure) | 345

Configuring MS-CHAPv2 for Password-Change Support | 346

Understanding Server Fail Fallback and Authentication on Switches | 348

Configuring RADIUS Server Fail Fallback (CLI Procedure) | 349

802.1X Authentication | 351

802.1X for Switches Overview | 352

How 802.1X Authentication Works | 352

802.1X Features Overview | 353

802.1X Authentication on Trunk Ports | 354

Configuring 802.1X Interface Settings (CLI Procedure) | 355

Understanding RADIUS-Initiated Changes to an Authorized User Session | 357

Disconnect Messages | 357

Change of Authorization Messages | 358

CoA Request Port Bounce | 358

Error-Cause Codes | 359

Filtering 802.1X Supplicants by Using RADIUS Server Attributes | 360

Configuring Firewall Filters on the RADIUS Server | 361

Applying a Locally Configured Firewall Filter from the RADIUS Server | 364

Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch | 365

Understanding Dynamic Filters Based on RADIUS Attributes | 370

x

Understanding Dynamic VLAN Assignment Using RADIUS Attributes | 371

Understanding Guest VLANs for 802.1X on Switches | 372

Example: Configuring 802.1X AuthenticationOptionsWhen the RADIUS Server Is Unavailableto an EX Series Switch | 373

Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authenticationand Odyssey Access Clients | 379

Monitoring 802.1X Authentication | 385

Verifying 802.1X Authentication | 386

Troubleshooting Authentication of End Devices on EX Series Switches | 388

MAC RADIUS Authentication | 390

Configuring MAC RADIUS Authentication (CLI Procedure) | 391

Example: Configuring MAC RADIUS Authentication on an EX Series Switch | 392

802.1X and RADIUS Accounting | 399

Understanding 802.1X and RADIUS Accounting on Switches | 400

RADIUS Accounting Process | 400

Supported RADIUS Attributes | 401

Configuring 802.1X RADIUS Accounting (CLI Procedure) | 403

Example: SettingUp802.1X for Single-Supplicant orMultiple-Supplicant Configurationson an EX Series Switch | 405

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access toCorporate Visitors on an EX Series Switch | 413

Interfaces Enabled for 802.1X or MAC RADIUS Authentication | 420

Example: Applying a Firewall Filter to 802.1X-Authenticated Supplicants by Using RADIUSServer Attributes on an EX Series Switch | 420

Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1Xor MAC RADIUS Authentication | 428

Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for 802.1Xor MAC RADIUS Authentication on EX Series Switches with ELS Support | 435

Static MAC Bypass of 802.1X and MAC RADIUS Authentication | 441

Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication (CLIProcedure) | 442

Example: Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication on anEX Series Switch | 443

xi


Example: Setting Up Captive Portal Authentication on an EX Series Switch | 449

Configuring Captive Portal Authentication (CLI Procedure) | 456

Configuring Secure Access for Captive Portal | 456

Enabling an Interface for Captive Portal | 457

Configuring Bypass of Captive Portal Authentication | 457

Designing a Captive Portal Authentication Login Page on Switches | 458

Configuring Captive Portal Authentication (CLI Procedure) on an EX Series Switche with ELSSupport | 461




Example: Setting Up Captive Portal Authentication on an EX Series Switch with ELSSupport | 463

Flexible Authentication Order on EX Series Switches | 469

Configuring Flexible Authentication Order | 470

Configuring EAPoL Block to Maintain an Existing Authentication Session | 472

Central Web Authentication | 474

Understanding Central Web Authentication | 474

Central Web Authentication Process | 475

Dynamic Firewall Filters for Central Web Authentication | 476

Redirect URL for Central Web Authentication | 477

Configuring Central Web Authentication | 477

Configuring Dynamic Firewall Filters for Central Web Authentication | 478

Configuring the Redirect URL for Central Web Authentication | 479

Guidelines for Configuring Central Web Authentication | 480

Centralized Access Control to Network Resources on EX Series Switches | 481

Understanding Centralized Network Access Control and EX Series Switches | 481

NAC Using Any RADIUS Server and Access Polices Defined on the Local Switch | 482

Centralized NAC Using Junos Pulse Access Control Service | 482

xii


Configuring an EX Series Switch to Use Junos Pulse Access Control Service for Network AccessControl (CLI Procedure) | 484

OBSOLETE: Configuring the EX Series Switch for Captive Portal Authentication with JunosPulse Access Control Service (CLI Procedure) | 488

VoIP on EX Series Switches | 489

Understanding 802.1X and VoIP on EX Series Switches | 489

Multi Domain 802.1X Authentication | 491

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch | 492

Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support | 501

Example: Configuring VoIP on an EX Series Switch Without Including LLDP-MED Support | 508

Example: Configuring VoIP on an EX Series Switch Without Including 802.1XAuthentication | 514

Example: Setting Up VoIP with 802.1X and LLDP-MED on an EX Series Switch with ELSSupport | 522

Configuring IEEE 802.1x Port-Based Network Access Control7IEEE 802.1x Port-Based Network Access Control Overview | 534

Understanding the Administrative State of the Authenticator Port | 535

Understanding the Administrative Mode of the Authenticator Port | 535

Configuring the Authenticator | 536

Viewing the dot1x Configuration | 537

Configuring IEEE 802.1x Port-Based Network Access Control in EnhancedLANMode8

802.1X for MX Series Routers in Enhanced LANMode Overview | 540

How 802.1X Authentication Works | 541

802.1X Features Overview | 543

Supported Features Related to 802.1X Authentication | 543

Understanding 802.1X and LLDP and LLDP-MED on MX Series Routers in EnhancedLANMode | 544

Understanding 802.1X andRADIUSAccounting onMXSeries Routers in Enhanced LANMode | 547

Understanding 802.1X and VoIP on MX Series Routers in Enhanced LANMode | 548

xiii

Understanding Guest VLANs for 802.1X on MX Series Routers in Enhanced LANMode | 551

Understanding Dynamic VLANs for 802.1X on MX Series Routers in Enhanced LANMode | 551

UnderstandingServer Fail Fallback andAuthenticationonMXSeriesRouters in EnhancedLANMode | 552

Configuring 802.1X RADIUS Accounting on MX Series Routers in Enhanced LANMode | 553

Configuring 802.1X Interface Settings onMXSeries Routers in Enhanced LANMode | 556

Configuring LLDP-MED on MX Series Routers in Enhanced LANMode | 558

Enabling LLDP-MED on Interfaces | 558

Configuring Location Information Advertised by the Router | 558

Configuring for Fast Start | 559

Configuring LLDP on MX Series Routers in Enhanced LANMode | 560

Enabling LLDP on Interfaces | 560

Adjusting LLDP Advertisement Settings | 561

Adjusting SNMP Notification Settings of LLDP Changes | 562

Specifying a Management Address for the LLDP Management TLV | 563

Configuring Server Fail Fallback on MX Series Routers in Enhanced LANMode | 564

Understanding Captive Portal Authentication on the MX Series Routers | 566

Limitations of Captive Portal | 566

Understanding Authentication Session Timeout on MX Series Routers | 567

Authentication Process Flow for MX Series Routers in Enhanced LANMode | 568

Specifying RADIUS Server Connections on an MX Series Router in Enhanced LANMode | 570

Configuring Captive Portal Authentication on MX Series Routers in Enhanced LANMode | 571




xiv

Designing a Captive Portal Authentication Login Page on an MX Series Router | 574

Configuring Static MAC Bypass of Authentication on MX Series Routers in EnhancedLANMode | 577

Controlling Authentication Session Timeouts on anMX Series Router in Enhanced LANMode | 578

Configuring MAC RADIUS Authentication on MX Series Routers in Enhanced LANMode | 580

Example: Configuring MAC RADIUS Authentication on an MX Series Router | 582

Example: Setting Up Captive Portal Authentication on an MX Series Router | 587

Example: Connecting a RADIUS Server for 802.1X to an MX Series Router | 594

Example: Setting Up 802.1X in Conference Rooms to Provide Internet Access toCorporate Visitors on an MX Series Router | 598

Example: Configuring Static MAC Bypass of Authentication on anMX Series Router | 602

Example: Applying Firewall Filters to Multiple Supplicants on Interfaces Enabled for802.1X or MAC RADIUS Authentication on MX Series Routers | 607

Device Discovery9Device Discovery Using LLDP and LLDP-MED on Switches | 615

Understanding LLDP | 615

Configuring LLDP (CLI Procedure) | 616

Enabling LLDP on Interfaces | 617

Adjusting LLDP Advertisement Settings | 617

Adjusting SNMP Notification Settings of LLDP Changes | 618

Specifying a Management Address for the LLDP Management TLV | 619

Configuring LLDP Power Negotiation | 619

Disabling LLDP TLVs | 620

Configuring LLDP (J-Web Procedure) | 622

Understanding LLDP and LLDP-MED on EX Series Switches | 623

Benefits of LLDP and LLDP-MED | 623

LLDP and LLDP-MED Overview | 624

Supported LLDP TLVs | 624

Supported LLDP-MED TLVs | 626

xv

About the Documentation

IN THIS SECTION

Documentation and Release Notes | xxix

Using the Examples in This Manual | xxix

Documentation Conventions | xxxi

Documentation Feedback | xxxiv

Requesting Technical Support | xxxiv

The Junos operating system (Junos OS) enables you to configure user access and authentication featuresat the [edit system] hierarchy level of the CLI. Essential user access features include login classes, useraccounts, access privilege levels, and user authenticationmethods. Use the topics on this page to configureessential user access features for your system.

Documentation and Release Notes

To obtain the most current version of all Juniper Networks® technical documentation, see the productdocumentation page on the Juniper Networks website at https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the documentation, follow theproduct Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.These books go beyond the technical documentation to explore the nuances of network architecture,deployment, and administration. The current list can be viewed at https://www.juniper.net/books.

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the load merge or the load merge relativecommand. These commands cause the software to merge the incoming configuration into the currentcandidate configuration. The example does not become active until you commit the candidate configuration.

xxix

https://www.juniper.net/documentation/https://www.juniper.net/books

If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the exampleis a full example. In this case, use the load merge command.

If the example configuration does not start at the top level of the hierarchy, the example is a snippet. Inthis case, use the loadmerge relative command. These procedures are described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a text file, save thefile with a name, and copy the file to a directory on your routing platform.

For example, copy the following configuration to a file and name the file ex-script.conf. Copy theex-script.conf file to the /var/tmp directory on your routing platform.

system {scripts {commit {file ex-script.xsl;

}}

}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;

}}

}}

2. Merge the contents of the file into your routing platform configuration by issuing the load mergeconfiguration mode command:

[edit]user@host# load merge /var/tmp/ex-script.confload complete

xxx

Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save thefile with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the file ex-script-snippet.conf. Copy theex-script-snippet.conf file to the /var/tmp directory on your routing platform.

commit {file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following configurationmodecommand:

[edit]user@host# edit system scripts[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the load mergerelative configuration mode command:

[edit system scripts]user@host# load merge relative /var/tmp/ex-script-snippet.confload complete

For more information about the load command, see CLI Explorer.

Documentation Conventions

Table 1 on page xxxii defines notice icons used in this guide.

xxxi

https://www.juniper.net/techpubs/content-applications/cli-explorer/junos/

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardwaredamage.

Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xxxii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, typethe configure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears onthe terminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997, BGP CommunitiesAttribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet drafttitles.

Italic text like this

xxxii

Table 2: Text and Syntax Conventions (continued)


Configure the machine’s domainname:

[edit]root@# set system domain-namedomain-name

Represents variables (options forwhich you substitute a value) incommands or configurationstatements.

Italic text like this

• To configure a stub area, includethe stub statement at the [editprotocols ospf area area-id]hierarchy level.

• The console port is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchylevels; or labels on routing platformcomponents.

Text like this

stub ;Encloses optional keywords orvariables.

< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutually exclusive keywords orvariables on either side of the symbol.The set of choices is often enclosedin parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamic MPLSonly

Indicates a comment specified on thesame line as the configurationstatement to which it applies.

# (pound sign)

community name members [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

xxxiii

Table 2: Text and Syntax Conventions (continued)


• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Represents graphical user interface(GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy ofmenu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You can use eitherof the following methods:

• Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the JuniperNetworks TechLibrary site, and do one of the following:

• Click the thumbs-up icon if the information on the page was helpful to you.

• Click the thumbs-down icon if the information on the page was not helpful to you or if you havesuggestions for improvement, and use the pop-up form to provide feedback.

• E-mail—Send your comments to [email protected]. Include the document or topic name,URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).If you are a customer with an active Juniper Care or Partner Support Services support contract, or are

xxxiv

https://www.juniper.net/documentation/index.htmlhttps://www.juniper.net/documentation/index.htmlmailto:[email protected]?subject=

covered under warranty, and need post-sales technical support, you can access our tools and resourcesonline or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTACUserGuide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Productwarranties—For productwarranty information, visit https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal calledthe Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:https://www.juniper.net/company/communities/

• Create a service request online: https://myjuniper.juniper.net

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://entitlementsearch.juniper.net/entitlementsearch/

Creating a Service Request with JTAC

You can create a service request with JTAC on the Web or by telephone.

• Visit https://myjuniper.juniper.net.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, seehttps://support.juniper.net/support/requesting-support/.

xxxv

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttps://www.juniper.net/support/warranty/https://www.juniper.net/customers/support/https://prsearch.juniper.net/https://www.juniper.net/documentation/https://kb.juniper.net/https://www.juniper.net/customers/csc/software/https://kb.juniper.net/InfoCenter/https://www.juniper.net/company/communities/https://myjuniper.juniper.nethttps://entitlementsearch.juniper.net/entitlementsearch/https://myjuniper.juniper.nethttps://support.juniper.net/support/requesting-support/

1CHAPTER

Login Classes and Login Settings


Junos OS Login Settings | 43

Junos OS Login Classes Overview

IN THIS SECTION


Defining Junos OS Login Classes | 41

Example: Creating Login Classes with Specific Privileges | 42

Junos OS login classes allow you to define access privileges, permission for using CLI commands andstatements, and session idle time for each login class. You can apply a login class to an individual useraccount, thereby specifying certain privileges and permissions to the user. Read this topic for moreinformation.

Junos OS Login Classes Overview

All users who can log in to the router or switch must be in a login class. With login classes, you define thefollowing:

• Access privileges that users have when they are logged in to the router or switch

• Commands and statements that users can and cannot specify

• How long a login session can be idle before it times out and the user is logged out

You can define any number of login classes and then apply one login class to an individual user account.

The Junos operating system (Junos OS) contains a few predefined login classes, which are listed inTable 3 on page 37. The predefined login classes cannot be modified.

Table 3: Predefined System Login Classes

Permission Flag SetLogin Class

clear, network, reset, trace, and viewoperator

viewread-only

allsuperuser or super-user

37

Table 3: Predefined System Login Classes (continued)

Permission Flag SetLogin Class

Noneunauthorized

NOTE:• You cannotmodify a predefined login class name. If you issue the set command on a predefinedclass name, the Junos OS appends -local to the login class name. The following message alsoappears:

warning: '' is a predefined class name; changing to '-local'

• You cannot issue the rename or copy command on a predefined login class. Doing so resultsin the following error message:

error: target '' is a predefined class

Permission Bits

Each top-level CLI command and each configuration statement has an access privilege level associatedwith it. Users can execute only those commands and configure and view only those statements for whichthey have access privileges. The access privileges for each login class are defined by one ormore permissionbits (see Table 4 on page 38).

Two forms for the permissions control the individual parts of the configuration:

• "Plain" form—Provides read-only capability for that permission type. An example is interface.

• Form that ends in -control—Provides read and write capability for that permission type. An example isinterface-control.

Table 4: Permission Bits for Login Classes

AccessPermission Bit

Can view user account information in configuration mode and with the showconfiguration command.

admin

Can view user accounts and configure them (at the [edit system login] hierarchylevel).

admin-control

38

Table 4: Permission Bits for Login Classes (continued)


Can view the access configuration in configuration mode and with the showconfiguration operational mode command.

access

Can view and configure access information (at the [edit access] hierarchy level).access-control

Has all permissions.all

Can clear (delete) information learned from the network that is stored in variousnetwork databases (using the clear commands).

clear

Can enter configuration mode (using the configure command) and commitconfigurations (using the commit command).

configure

Can perform all control-level operations (all operations configuredwith the -controlpermission bits).

control

Reserved for field (debugging) support.field

Can view the firewall filter configuration in configuration mode.firewall

Can view and configure firewall filter information (at the [edit firewall] hierarchylevel).

firewall-control

Can read from and write to the removable media.floppy

Can view the interface configuration in configuration mode and with the showconfiguration operational mode command.

interface

Can view chassis, class of service, groups, forwarding options, and interfacesconfiguration information. Can configure chassis, class of service, groups,forwarding options, and interfaces (at the [edit] hierarchy).

interface-control

Can perform system maintenance, including starting a local shell on the deviceand becoming the superuser in the shell (by issuing the su root command), andcan halt and reboot the device (using the request system commands).

maintenance

Can access the network by entering the ping, ssh, telnet, and traceroute commands.network

Can restart software processes using the restart command and can configurewhether software processes are enabled or disabled (at the [edit systemprocesses]hierarchy level).

reset

39

Table 4: Permission Bits for Login Classes (continued)


Can use the rollback command to return to a previously committed configurationother than the most recently committed one.

rollback

Can view general routing, routing protocol, and routing policy configurationinformation in configuration and operational modes.

routing

Can view general routing, routing protocol, and routing policy configurationinformation and configure general routing (at the [edit routing-options] hierarchylevel), routing protocols (at the [edit protocols] hierarchy level), and routing policy(at the [edit policy-options] hierarchy level).

routing-control

Can view passwords and other authentication keys in the configuration.secret

Can view passwords and other authentication keys in the configuration and canmodify them in configuration mode.

secret-control

Can view security configuration in configuration mode and with the showconfiguration operational mode command.

security

Can view and configure security information (at the [edit security] hierarchy level).security-control

Can start a local shell on the device by entering the start shell command.shell

Can view SNMP configuration information in configuration and operational modes.snmp

Can view SNMP configuration information and configure SNMP (at the [edit snmp]hierarchy level).

snmp-control

Can view system-level information in configuration and operational modes.system

Can view system-level configuration information and configure it (at the [editsystem] hierarchy level).

system-control

Can view trace file settings in configuration and operational modes.trace

Can view trace file settings and configure trace file properties.trace-control

Can use various commands to display current system-wide, routing table, andprotocol-specific values and statistics.

view

40

Denying or Allowing Individual Commands

By default, all top-level CLI commands have associated access privilege levels. Users can execute onlythose commands and view only those statements for which they have access privileges. For each loginclass, you can explicitly deny or allow the use of operational and configuration mode commands that areotherwise permitted or not allowed by a permission bit.

Defining Junos OS Login Classes

Login classes allow you to define the following:

• Access privileges that users have when they are logged in to the router or switch

• Commands and statements that users can and cannot specify

• How long a login session can be idle before it times out and the user is logged out

All users who can log in to the router or switch must be in a login class. Therefore, you must define a JunosOS login class for each user or class of users. You can define any number of login classes depending onthe types of permissions the users need.

To define a login class and its access privileges, include the class statement at the [edit system login]hierarchy level:

[edit system login]class class-name {access-end hh:mm;access-start hh:mm;( allow-commands | allow-commands-regexps ) “regular expression 1” “regular expression 2”;( allow-configuration | allow-configuration-regexps ) “regular expression 1” “regular expression 2”;allow-sources [ allow-sources ... ];allow-times [ allow-times ... ];allowed-days [ days of the week ];cli {prompt prompt;

}configuration-breadcrumbs;confirm-commands [“regular expression or command 1” “regular expression or command 2” ...] {confirmation-message;

}( deny-commands | deny-commands-regexps ) [ “regular expression 1” “regular expression 2 ” ... ];( deny-configuration | deny-configuration-regexps ) “regular expression 1” “regular expression 2 ”;deny-sources [ deny-sources ... ];deny-times [ deny-times ... ];

41

idle-timeout minutes;logical-system logical-system-name;login-alarms;login-script filename;login-tip;no-scp-server;no-sftp-server;permissions [ permissions ];satellite all;security-role (audit-administrator | crypto-administrator | ids-administrator | security-administrator);tenant tenant;

}

Example: Creating Login Classes with Specific Privileges

Login classes are used to assign certain permissions or restrictions to groups of users, ensuring that sensitivecommands are only accessible to the appropriate users. By default, Juniper Networks devices have fourtypes of login classes with preset permissions: operator, read-only, superuser or super-user, andunauthorized.

You can create new custom login classes tomake different combinations of permissions that are not foundin the default login classes. The following example shows how to create three custom login classes, eachwith specific privileges and timers to disconnect the class members after a period of inactivity. Inactivitytimers help protect network security by disconnecting a user from the network if the user is away fromhis computer for too long, preventing potential security risks created by leaving an unattended accountlogged in to a switch or router. The permissions and inactivity timers shown here are only examples andshould be customized to your organization.

The first class of users is called observation and they can only view statistics and configuration. They arenot allowed to modify any configuration. The second class of users is called operation and they can viewand modify the configuration. The third class of users is called engineering and they have unlimited accessand control. All three login classes use the same inactivity timer of 5 minutes.

[edit]system {login {class observation {idle-timeout 5;permissions [ view ];

}class operation {

42

idle-timeout 5;permissions [ admin clear configure interface interface-control networkreset routing routing-control snmp snmp-control trace-controlfirewall-control rollback ];

}class engineering {idle-timeout 5;permissions all;

}}

}

RELATED DOCUMENTATION

Junos OS User Accounts | 57



Junos OS Login Settings

IN THIS SECTION

Configuring Junos OS to Display a System Login Announcement | 44

Configuring System Alarms to Appear Automatically Upon Login | 46

Configuring Login Tips | 46

Examples: Configuring Time-Based User Access | 47

Configuring the Timeout Value for Idle Login Sessions | 48

Login Retry Options | 49

Limiting the Number of User Login Attempts for SSH and Telnet Sessions | 50

Example: Configuring Login Retry Options | 52

43

Junos OS allows you to specify various settings for the users after they have logged in. You can definewhat to notify for the users after they have logged in, display system alarms, provide login tips, or specifytime-based user access, and limit the number of login attempts. Read this topic for more information.

Configuring Junos OS to Display a System Login Announcement

Sometimes you want to make announcements only to authorized users after they have logged in. Forexample, you might want to announce an upcoming maintenance event.

You can format the announcement using the following special characters:

• \n—New line

• \t—Horizontal tab

• \'—Single quotation mark

• \"—Double quotation mark

• \\—Backslash

If the message text contains any spaces, enclose it in quotation marks.

By default, no login announcement is displayed.

To configure an announcement that can be seen only by authorized users:

1. Include the announcement statement in the [edit system login] configuration.

[edit system login]user@host# set announcement text

For example:

system {login {announcement "\tJuly 27th 1:00 AM to 8:00\n\nPlanned Network Maintenance\n\nAFFECTEDLOCATIONS: Sunnyvale\n\nPLANNEDACTIVITY: Upgrade all 6200 switch firmware to the EnterpriseTAC recommended firmware version\n\nPURPOSE: This activity will help to minimize the impact ofunplanned power outages as well as address known issues within our currently installed firmwareversion(s)\n\nWHAT TO EXPECT: During the maintenance window for your site, the office networkwill not be available.\n\n";

message "\n\n\n\tTP0 - M7i - iX Router Lab\n\n\tUNAUTHORIZED USE OF THIS ROUTER\n\tISSTRICTLYPROHIBITED!\n\n\tPlease contact \'[email protected]\' to gain\n\taccess to this equipmentif you need authorization.\n\n\n"

44

}}

2. Commit the configuration.

[edit system login]user@host# commit

3. Connect to the device in a new session to verify the presence of the new banner.

The preceding login message configuration example produces a login message similar to the following:

server% telnet hostTrying 203.0.113.0

Connected to host.example.net

Escape character is ’^]’.

TP0 - M7i - iX Router Lab

UNAUTHORIZED USE OF THIS ROUTER

IS STRICTLY PROHIBITED!

Please contact '[email protected]' to gain

access to this equipment if you need authorization

login: user

Password:

July 27th 1:00 AM to 8:00

Planned Network Maintenance

AFFECTED LOCATIONS: Sunnyvale

PLANNED ACTIVITY: Upgrade all 6200 switch firmware to the Enterprise TAC

recommended firmware version

PURPOSE: This activity will help to minimize the impact of unplanned power

45

outages as well as address known issues within our currently installed firmware

version(s)

WHAT TO EXPECT: During the maintenance window for your site, the office network

will not be available.

If the announcement text contains any spaces, enclose the text in quotation marks.

A system login announcement appears after the user logs in. A system login message appears before theuser logs in.

TIP: You can use the same special characters described to format your system loginannouncement.

Configuring System Alarms to Appear Automatically Upon Login

You can configure Juniper Networks routers and switches to run the show system alarms commandwhenever a user with the login class admin logs in to the router or switch. To do so, include the login-alarmsstatement at the [edit system login class admin] hierarchy level.

[edit system login class admin]login-alarms;

For more information on the show system alarms command, see the CLI Explorer.

SEE ALSO

show system alarms

Configuring Login Tips

The Junos OS CLI provides the option of configuring login tips for the user. By default, the tip commandis not enabled when a user logs in.

46

https://www.juniper.net/documentation/content-applications/cli-explorer/junos/

• To enable tips, include the login-tip statement at the [edit system login class class-name] hierarchy level:

[edit system login class class-name]login-tip;

Adding this statement enables the tip command for the class specified, provided the user logs in using theCLI.

Examples: Configuring Time-Based User Access

The following example shows how to configure user access for the operator-round-the-clock-access loginclass from Monday through Friday without any restriction on access time or duration of login:

[edit system]login {class operator-round-the-clock-access {allowed-days [ monday tuesday wednesday thursday friday ];

}

The following example shows how to configure user access for the operator-day-shift login class onMonday, Wednesday, and Friday from 8:30 AM to 4:30 PM:

[edit system]login {class operator-day-shift {allowed-days [ monday wednesday friday ];access-start 0830;access-end 1630;

}}

Alternatively, you can also specify the login start time and end time for the operator-day-shift login classto be from 8:30 AM to 4:30 PM in the following format:

[edit system]login {class operator-day-shift {allowed-days [ monday wednesday friday ];access-start 08:30am;access-end 04:30pm;

47

}}

The following example shows how to configure user access for the operator-day-shift-all-days-of-the-weeklogin class to be on all days of the week from 8:30 AM to 4:30 PM:

[edit system]login {class operator-day-shift-all-days-of-the-week {access-start 0830;access-end 1630;

}}

SEE ALSO

Configuring Time-Based User Access

Configuring the Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI operational mode prompt is displayed but there is no inputfrom the keyboard. By default, a login session remains established until a user logs out of the router orswitch, even if that session is idle. To close idle sessions automatically, you must configure a time limit foreach login class. If a session established by a user in that class remains idle for the configured time limit,the session automatically closes. Idle-timeout can only be configured for user defined classes. Configurationwon't work for the system predefined classes: operator, read-only, super-user. These classes’ values andpermissions are not editable.

To define the timeout value for idle login sessions, include the idle-timeout statement at the [edit systemlogin class class-name] hierarchy level:

[edit system login class class-name]idle-timeout minutes;

Specify the number of minutes that a session can be idle before it is automatically closed.

If you have configured a timeout value, the CLI displays messages similar to the following when timing outan idle user. It starts displaying these messages 5 minutes before timing out the user.

48

user@host# Session will be closed in 5 minutes if there is no activity.Warning: session will be closed in 1 minute if there is no activityWarning: session will be closed in 10 seconds if there is no activityIdle timeout exceeded: closing session

If you configure a timeout value, the session closes after the specified time has elapsed, unless the useris running telnet or monitoring interfaces using the monitor interface or monitor traffic command.

Login Retry Options

The security administrator can configure the number of times a user can try to log in to the device withinvalid login credentials. The device can be locked after the specified number of unsuccessful authenticationattempts. This helps to protect the device frommalicious users attempting to access the system by guessingan account’s password. The security administrator can unlock the user account or define a time period forthe user account to remain locked.

The system lockout-period defines the amount of time the device can be locked for a user account aftera specified number of unsuccessful login attempts.

The security administrator can configure a period of time after which an inactive session will be lockedand require re-authentication to be unlocked. This helps to protect the device from being idle for a longperiod before the session times out.

The system idle-timeout defines length of time the CLI operational mode prompt remains active beforethe session times out.

The security administrator can configure a banner with an advisory notice to be displayed before theidentification and authentication screen.

The system message defines the system login message. This message appears before a user logs in.

The number of reattempts the device allows is defined by the tries-before-disconnect option. The deviceallows 3 unsuccessful attempts by default or as configured by the administrator. The device prevents thelocked users to perform activities that require authentication, until a security administratormanually clearsthe lock or the defined time period for the device to remain locked has elapsed. However, the existinglocks are ignored when the user attempts to log in from the local console.

49

NOTE: To clear the console during an administrator-initiated logout, the administrator must configure the setsystem login message “message string” such that, the message-string contains newline (\n) characters and alogin banner message at the end of the \n characters.

To ensure that configuration information is cleared completely, the administrator can enter 50 or more \ncharacters in the message-string of the command set system login message “message string”.

For example, set system login message"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nWelcome to Junos!!!"

Limiting the Number of User Login Attempts for SSH and Telnet Sessions

You can limit the number of times a user can attempt to enter a password while logging in through SSHor Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. Youcan also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. Inaddition, you can specify the threshold for the number of failed attempts before the user experiences adelay in being able to enter a password again.

To specify the number of times a user can attempt to enter a password while logging in, include theretry-options statement at the [edit system login] hierarchy level:

[edit system login]retry-options {tries-before-disconnect number;backoff-threshold number;backoff-factor seconds;maximum-time secondsminimum-time seconds;

}

You can configure the following options:

• tries-before-disconnect—Number of times a user can attempt to enter a password when logging in. Theconnection closes if a user fails to log in after the number specified. The range is from 1 through 10, andthe default is 10.

• backoff-threshold—Threshold for the number of failed login attempts before the user experiences adelay in being able to enter a password again. Use the backoff-factor option to specify the length of thedelay in seconds. The range is from 1 through 3, and the default is 2.

50

• backoff-factor—Length of time, in seconds, before a user can attempt to log in after a failed attempt.The delay increases by the value specified for each subsequent attempt after the threshold. The rangeis from 5 through 10, and the default is 5 seconds.

• maximum-time seconds—Maximum length of time, in seconds, that the connection remains open for theuser to enter a username and password to log in. If the user remains idle and does not enter a usernameand password within the configured maximum-time, the connection is closed. The range is from 20through 300 seconds, and the default is 120 seconds.

• minimum-time—Minimum length of time, in seconds, that a connection remains open while a user isattempting to enter a correct password. The range is from 20 through 60, and the default is 40.

The following example shows how to limit the user to four attempts when the user enters a passwordwhile logging in through SSH or Telnet:

Limiting the number of SSH and Telnet login attempts per user is one of the most effective methods ofstopping brute force attacks from compromising your network security. Brute force attackers execute alarge number of login attempts in a short period of time to illegitimately gain access to a private network.By configuring the retry-options command, you can create an increasing delay after each failed loginattempt, eventually disconnecting any user who passes your set threshold of login attempts.

Set the backoff-threshold to 2, the back-off-factor to 5 seconds, and the minimum-time to 40 seconds.The user experiences a delay of 5 seconds after the second attempt to enter a correct password fails. Aftereach subsequent failed attempt, the delay increases by 5 seconds. After the fourth and final failed attemptto enter a correct password, the user experiences an additional 10-second delay, and the connection closesafter a total of 40 seconds.

The additional variables maximum-time and lockout-period are not set in this example.

[edit]system {login {retry-options {backoff-threshold 2;backoff-factor 5;minimum-time 40;tries-before-disconnect 4;

}password {}

}}

51

NOTE: This sample only shows the portion of the [edit system login] hierarchy level beingmodified.

Example: Configuring Login Retry Options

IN THIS SECTION

Requirements | 52

Overview | 52

Configuration | 54

Verification | 55

This example shows how to configure system retry options to protect the device from malicious users.

Requirements

Before you begin, you should understand “Login Retry Options” on page 49.

No special configuration beyond device initialization is required before configuring this feature.

Overview

Malicious users sometimes try to log in to a secure device by guessing an authorized user account’spassword. Locking out a user account after a number of failed authentication attempts helps protect thedevice from malicious users.

Device lockout allows you to configure the number of failed attempts before the user account is lockedout of the device and configure the amount of time before the user can attempt to log in to the deviceagain. You can configure the amount of time in-between failed login attempts of a user account and canmanually lock and unlock user accounts.

52

NOTE:This example includes the following settings:

• backoff-factor — Sets the length of delay in seconds after each failed login attempt. When auser incorrectly logs in to the device, the user must wait the configured amount of time beforeattempting to log in to the device again. The length of delay increases by this value for eachsubsequent login attempt after the value specified in the backoff-threshold statement. Thedefault value for this statement is five seconds, with a range of five to ten seconds.

• backoff-threshold— Sets the threshold for the number of failed login attempts on the devicebefore the user experiences a delay when attempting to reenter a password. When a userincorrectly logs in to the device and hits the threshold of failed login attempts, the userexperiences a delay that is set in the backoff-factor statement before attempting to log in tothe device again. The default value for this statement is two, with a range of one through three.

• lockout-period— Sets the amount of time in minutes before the user can attempt to log in tothe device after being locked out due to the number of failed login attempts specified in thetries-before-disconnect statement. When a user fails to correctly login after the number ofallowed attempts specified by the tries-before-disconnect statement, the user must wait theconfigured amount of minutes before attempting to log in to the device again. Thelockout-period must be greater than zero. The range at which you can configure thelockout-period is one through 43,200 minutes.

• tries-before-disconnect — Sets the maximum number of times the user is allowed to enter apassword to attempt to log in to the device through SSH or Telnet. When the user reachesthe maximum number of failed login attempts, the user is locked out of the device. The usermustwait the configured amount ofminutes in the lockout-period statement before attemptingto log back in to the device. The tries-before-disconnect statement must be set when thelockout-period statement is set; otherwise, the lockout-period statement is meaningless. Thedefault number of attempts is ten, with a range of one through ten attempts.

Once a user is locked out of the device, if you are the security administrator, you can manuallyremove the user from this state using the clear system login lockout command. Youcan also use the show system login lockout command to view which users are currently lockedout, when the lockout period began for each user, and when the lockout period ends for eachuser.

If the security administrator is locked out of the device, he can log in to the device from theconsole port, which ignores any user locks. This provides a way for the administrator to removethe user lock on their own user account.

In this example the user waits for the backoff-threshold multiplied by the backoff-factor interval, inseconds, to get the login prompt. In this example, the user must wait 5 seconds after the first failed loginattempt and 10 seconds after the second failed login attempt to get the login prompt. The user gets

53

disconnected after 15 seconds after the third failed attempt because the tries-before-disconnect optionis configured as 3.

The user cannot attempt anther login until 120minutes has elapsed, unless a security administratormanuallyclears the lock sooner.

Configuration

CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them into a text file, remove anyline breaks, change any details necessary to match your network configuration, copy and paste thecommands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set system login retry-options backoff-factor 5set system login retry-options backoff-threshold 1set system login retry-options lockout-period 120set system login retry-options tries-before-disconnect 3

Step-by-Step ProcedureTo configure system retry-options:

1. Configure the backoff factor.

[edit ]user@host# set system login retry-options backoff-factor 5

2. Configure the backoff threshold.

[edit]user@host# set system login retry-options backoff-threshold 1

3. Configure the amount of time the device gets locked after failed attempts.

[edit]user@host# set system login retry-options lockout-period 5

4. Configure the number of unsuccessful attempts during which, the device can remain unlocked.

[edit]user@host# set system login retry-options tries-before-disconnect 3

54

ResultsFrom configuration mode, confirm your configuration by entering the show system login retry-optionscommand. If the output does not display the intended configuration, repeat the configuration instructionsin this example to correct it.

[edit]user@host# show system login retry-optionsbackoff-factor 5;backoff-threshold 1;lockout-period 5;tries-before-disconnect 3;

Confirm that the configuration is working properly.

If you are done configuring the device, enter commit from configuration mode.

Verification

Displaying the Locked User Logins

PurposeVerify that the login lockout configuration is enabled.

ActionAttempt three unsuccessful logins for a particular username. The device will be locked for that username;then log in to the device with a different username. From operational mode, enter the show system loginlockout command.

MeaningWhen you perform three unsuccessful login attempts with a particular username, the device is locked forthat user for five minutes, as configured in the example. You can verify that the device is locked for thatuser by logging in to the device with a different username and entering the show system login lockoutcommand.

RELATED DOCUMENTATION



55

2CHAPTER

User Accounts




Junos OS User Accounts

IN THIS SECTION

Junos OS User Accounts Overview | 57

Junos-FIPS Crypto Officer and User Accounts Overview | 59

Example: Configuring User Accounts | 60

Example: Configuring New Users | 61

Configuring Junos OS User Accounts by Using a Configuration Group | 68

Junos OS allows you to create accounts for router, switch, and security users. All users also belong to oneof the system login classes.

Junos OS requires that all users have a predefined user account before they can log in to the device. Foreach user account, you define the login name for the user and, optionally, information that identifies theuser. User accounts provide a way for users to access a router or switch or security device. Read this topicfor more information.

Junos OS User Accounts Overview

User accounts provide one way for users to access the device. (Users can access the device withoutaccounts if you configured RADIUS or TACACS+ servers, as described in “Junos OS User AuthenticationMethods” on page 172.) For each account, you define the login name and password for the user and,optionally, additional parameters and metadata for the user. After you have created an account, thesoftware creates a home directory for the user.

An account for the user root is always present in the configuration. You configure the password for rootusing the root-authentication statement, as described in “Configuring the Root Password” on page 142.

It is a common practice to use remote authentication servers to centrally store information about users.Even so, it is also a good practice to configure at least one non-root user directly on each device, in caseaccess to the remote authentication server is disrupted. This one non-root user commonly has a genericname, such as admin.

For each user account, you can define the following:

57

• Username: Name that identifies the user. It must be unique within the device. Do not include spaces,colons, or commas in the username. The username can be up to 64 characters long.

• User’s full name: (Optional) If the full name contains spaces, enclose it in quotationmarks. Do not includecolons or commas.

• User identifier (UID): (Optional) Numeric identifier that is associatedwith the user account name. Typicallythere is no need to set the UID because the software automatically assigns it when you commit theconfiguration. However, if you manually configure the UID, it must be in the range from 100 through64,000 and must be unique within the device.

You must ensure that the UID is unique. However, it is possible to assign the same UID to differentusers. If you do this, the CLI displays a warning when you commit the configuration and then assignsthe duplicate UID.

• User’s access privilege: (Required) One of the login classes you defined in the class statement at the[edit system login] hierarchy level, or one of the default classes listed in “JunosOSUser Access Privileges”on page 83.

• Authentication method or methods and passwords that the user can use to access the device—You canuse SSH or a Message Digest 5 (MD5) password, or you can enter a plain-text password that the JunosOS encrypts using MD5-style encryption before entering it in the password database. For each method,you can specify the user’s password. If you configure the plain-text-password option, you are promptedto enter and confirm the password:

[edit system login user username]user@host# set authentication plain-text-passwordNew password: type password hereRetype new password: retype password here

The default requirements for plain-text passwords are:

• The password must be between 6 and 128 characters long.

• You can include most character classes in a password (uppercase letters, lowercase letters, numbers,punctuation marks, and other special characters). Control characters are not recommended.

• Valid passwords must contain at least one change of case or character class.

Junos-FIPS and Common Criteria have special password requirements. FIPS and Common Criteriapasswords must be between 10 and 20 characters in length. Passwords must use at least three of thefive defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and otherspecial characters). If Junos-FIPS is installed on the device, you cannot configure passwords unless theymeet this standard.

For SSH authentication, you can copy the contents of an SSH key file into the configuration or directlyconfigure SSH key information. Use the load-key-file URL filename command to load an SSH key file thatwas previously generated, e.g. by using ssh-keygen. The URL filename is the path to the file’s location and

58

name. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.The contents of the SSH key file are copied into the configuration immediately after you enter theload-key-file statement. Optionally, you can use the ssh-dsa public key and the ssh-rsapublic key statements to directly configure SSH keys.

The following TLS version and cipher suite combinations will fail when you use the specified type of hostkey.

With RSA host keys:

• TLS_1.0@DHE-RSA-AES128-SHA

• TLS_1.0@DHE-RSA-AES256-SHA

With DSA host keys:

• TLS 1.0 (default ciphers)

• TLS 1.1 (default ciphers)

• TLS_1.0@DHE-DSS-AES128-SHA

• TLS_1.0@DHE-DSS-AES256-SHA

For each user account and for root logins, you can configure more than one public RSA or DSA key foruser authentication. When a user logs in using a user account or as root, the configured public keys arereferenced to determine whether the private key matches any of them.

To view the SSH keys entries, use the configuration mode show command. For example:

[edit system login user boojum]user@host# set authentication load-key-file my-host:.ssh/id_dsa.pub.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%[edit system]user@host# showroot-authentication {ssh-rsa "$ABC123"; # SECRET-DATA

}

Junos-FIPS Crypto Officer and User Accounts Overview

Junos-FIPS defines a restricted set of user roles. Unlike the Junos OS, which enables a wide range ofcapabilities to users, FIPS 140-2 defines specific types of users (Crypto Officer, User, and Maintenance).Crypto Officers and FIPS Users perform all FIPS-related configuration tasks and issue all FIPS-relatedcommands. Crypto Officer and FIPS User configurations must follow FIPS 140-2 guidelines. Typically, nouser besides a Crypto Officer can perform FIPS-related tasks.

59

Crypto Officer User Configuration

Junos-FIPS offers finer control of user permissions than those mandated by FIPS 140-2. For FIPS 140-2conformance, any Junos-FIPS user with the secret, security, and maintenance permission bits set is aCrypto Officer. In most cases, the super-user class should be reserved for a Crypto Officer. A FIPS Usercan be defined as any Junos-FIPS user that does not have the secret, security, and maintenance bits set.

FIPS User Configuration

ACryptoOfficer sets up FIPSUsers. FIPS Users can be granted permissions normally reserved for a CryptoOfficer; for example, permission to zeroize the system and individual AS-II FIPS PICs.

Example: Configuring User Accounts

The following example shows how to create accounts for four router or switch users, and create an accountfor the template user remote. All users use one of the default system login classes. User alexander alsohas two digital signal algorithm (DSA) public keys configured for SSH authentication.

[edit]system {login {user philip {full-name “Philip of Macedonia”;uid 1001;class super-user;authentication {encrypted-password “$ABC123”;

}}user alexander {full-name “Alexander the Great”;uid 1002;class view;authentication {encrypted-password “$ABC123”;ssh-dsa “8924 37 5678 [email protected]”;ssh-dsa “6273 94 [email protected]”;

}}user darius {full-name “Darius King of Persia”;

60

uid 1003;class operator;authentication {ssh-rsa “1024 37 [email protected]”;

}}user anonymous {class unauthorized;

}user remote {full-name “All remote users”;uid 9999;class read-only;

}}

}

Example: Configuring New Users

IN THIS SECTION

Requirements | 61

Overview | 62

Configuration | 62

Verification | 67

This example shows how to configure new users.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

61

Overview

You can add new users to the dev

junos® os user access and authentication user guide · 2020-03-26 · monitoringcertificates|226...

Documents