Juniper AAA

published: 18th of February 2019

Overview

Junos has a robust authentication, authorization and accounting (AAA) system ensuring authenticated users have access to only the things their permissions allow.

Authentication

Junos supports two categories of user authentication.

  • Local - On box user database
  • Remote - TACACS or RADIUS servers.

Local Authentication

Local authentication utilizes a user database configured on the local device. Local user passwords have the following restrictions.

  • At least 6 Characters long
  • Cannot include control characters
  • At least one change of case

Local users have a home directory automatically generated for them.

Remote Authentication

There are two methods of remote user authentication.

  • TACACS - Terminal Access Controller Access-Control System
  • RADIUS - Remote Authentication Dial-In User Service

Authentication Order

Multiple authentication sources can be defined. When a user attempts to login, the configured authentication sources will be attempted in order until an authentication accept is received from one of the authentication sources.

config 
system {
    authentication-order [ radius tacplus password ];
}

In order to consult the local user database ONLY in the event of remote authentication server failure omit the password keyword.

config 
system {
    authentication-order [ radius tacplus ];
}

The local database will be used as a fallback authentication source if no remote authentication sources are available.

Authorization

Junos applies authorization policy to commands and configuration statements for all non-root users. Authorization is applied according to the following diagram.

blog/juniper-aaa/aaa.svg
Important

If the same command is configured under both allow-commands and deny-commands statements, or both allow-configuration and deny-configuration statements, then the allow operation takes precedence over the deny statement.

Login Classes

A login class is a logical grouping of permission that get assigned to users. There are four default login classes.

  • super-user - Root permission
  • operator - View, clear, network, reset, and trace permissions
  • read-only - View permissions
  • unauthorized - No permissions

It is also possible to create custom login classes if the default classes do not meet your needs.

Users can be members of a single login class. The login class permissions will be applied to the user upon login.

Accounting

When accounting is enabled, user activities such as logins, configuration changes, and interactive commands will be logged. The logs are sent to user defined TACACS or RADIUS servers.

Bibliography

1. Author Unknown (2012) JNCIA-Junos Study Guide-Part 1. Juniper Networks

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-accounting-configuring.html

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/system-basics/user-access.html

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/access-privileges-operational-mode-commands-specifying.html