Juniper AAA
Published: 18th of February 2019
Overview
Junos has a robust authentication, authorization and accounting (AAA) system ensuring authenticated users have access to only the things their permissions allow.
Authentication
Junos supports two categories of user authentication.
- Local - On box user database
- Remote - TACACS or RADIUS servers.
Local Authentication
Local authentication utilizes a user database configured on the local device. Local user passwords have the following restrictions.
- At least 6 Characters long
- Cannot include control characters
- At least one change of case
Local users have a home directory automatically generated for them.
Remote Authentication
There are two methods of remote user authentication.
- TACACS - Terminal Access Controller Access-Control System
- RADIUS - Remote Authentication Dial-In User Service
Authentication Order
Multiple authentication sources can be defined. When a user attempts to login, the configured authentication sources will be attempted in order until an authentication accept is received from one of the authentication sources.
system {
authentication-order [ radius tacplus password ];
}
In order to consult the local user database ONLY in the event of remote authentication server failure omit the password keyword.
system {
authentication-order [ radius tacplus ];
}
The local database will be used as a fallback authentication source if no remote authentication sources are available.
Authorization
Junos applies authorization policy to commands and configuration statements for all non-root users. Authorization is applied according to the following diagram.
Important
If the same command is configured under both allow-commands and deny-commands statements, or both allow-configuration and deny-configuration statements, then the allow operation takes precedence over the deny statement.
Login Classes
A login class is a logical grouping of permission that get assigned to users. There are four default login classes.
- super-user - Root permission
- operator - View, clear, network, reset, and trace permissions
- read-only - View permissions
- unauthorized - No permissions
It is also possible to create custom login classes if the default classes do not meet your needs.
Users can be members of a single login class. The login class permissions will be applied to the user upon login.
Accounting
When accounting is enabled, user activities such as logins, configuration changes, and interactive commands will be logged. The logs are sent to user defined TACACS or RADIUS servers.
Bibliography
| Author Unknown (2012) JNCIA-Junos Study Guide-Part 1. Juniper Networks |
Links
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/radius-accounting-configuring.html
https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/system-basics/user-access.html
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/access-privileges-operational-mode-commands-specifying.html