published: 18th of February 2019
Junos has a robust authentication, authorization and accounting (AAA) system ensuring authenticated users have access to only the things their permissions allow.
Junos supports two categories of user authentication.
Local authentication utilizes a user database configured on the local device. Local user passwords have the following restrictions.
Local users have a home directory automatically generated for them.
There are two methods of remote user authentication.
Multiple authentication sources can be defined. When a user attempts to login, the configured authentication sources will be attempted in order until an authentication accept is received from one of the authentication sources.
system {
authentication-order [ radius tacplus password ];
}
In order to consult the local user database ONLY in the event of remote authentication server failure omit the password keyword.
system {
authentication-order [ radius tacplus ];
}
The local database will be used as a fallback authentication source if no remote authentication sources are available.
Junos applies authorization policy to commands and configuration statements for all non-root users. Authorization is applied according to the following diagram.
If the same command is configured under both allow-commands and deny-commands statements, or both allow-configuration and deny-configuration statements, then the allow operation takes precedence over the deny statement.
A login class is a logical grouping of permission that get assigned to users. There are four default login classes.
It is also possible to create custom login classes if the default classes do not meet your needs.
Users can be members of a single login class. The login class permissions will be applied to the user upon login.
When accounting is enabled, user activities such as logins, configuration changes, and interactive commands will be logged. The logs are sent to user defined TACACS or RADIUS servers.