Welcome to the User Authentication Configuration module. By the end of this module, you should be able to configure user authentication. With local password authentication, you can configure usernames and passwords individually for each user to login to a device running the Junos OS. Junos OS enforces password restrictions, such as the password must be at least six characters. You can include most character classes in a password, such as alphabetic, numeric, and special characters except control characters and passwords must contain at least one change of case or character class. When a user is configured on a device running the Junos OS, the system automatically generates a home directory for that user. The home directory serves as the default working directory for each locally configured user. The user's working directory can be changed for individual sessions. Using the operational mode set cli directory, directory command. This command is useful when configurations need to be saved by multiple administrators to a common location. RADIUS and TACACS+ are distributed client and server systems used as authentication methods to validate users. The RADIUS and TACACS+ clients run on devices running the Junos OS. The server runs on a host connected to a remote network. A locally defined user account determines authorization. Multiple RADIUS or TACACS+ authenticated users can be mapped to a locally defined template user account. Local template user accounts avoid the need for each RADIUS or TACACS+ user to also have a locally defined user account. With the appropriate Juniper Networks extensions loaded on the server, both RADIUS and TACACS+ can override these template user authorization parameters by passing extended regular expressions. You can configure devices running Junos OS to be both a RADIUS and TACACS+ client. You can prioritize the order in which the software tries one or more of the three different authentication methods. For each login attempt, Junos OS tries the authentication methods in order until the password is accepted. The next method in the authentication order is consulted if the previous authentication method failed to reply or if the method rejected the login attempt. If no reply, accept or reject is received from any of the listed authentication methods, Junos OS consults local authentication as a last resort. In this example, the authentication order is configured as radius tacplus password. Enter the username as lab, and the password as lab 789. The authentication is successful because each configured authentication method is attempted until the local authentication database accepts the password. In addition to the authentication order, you would also need to configure the RADIUS and TACACS+ servers, as well as the lab user. This is a sample of these configuration parameters. In this example, authentication order radius tacplus is configured with the username lab and password lab 789. Junos OS attempts to authenticate the password against the RADIUS server, which rejects it. Junos OS then attempts to authenticate the password against the TACACS+ server, which also rejects it. Junos OS does not consult local authentication because it is not listed in the authentication order. Because at least one of the configured authentication methods does respond, the password is rejected. In this example, authentication order radius tacplus is still present. Enter the username as lab, and the password as lab 789. Junos OS attempts to authenticate the password against the RADIUS server, which is down. The Junos OS device receives no response and after a time-out period, tries the TACACS+ server. A temporary network problem causes the TACACS+ server to be unreachable. After a time-out period, local authentication is consulted, and the password is accepted. Junos OS consults local authentication because none of the configured authentication methods respond. Each command or configuration statement is subject to authorization. Junos OS applies authorization to all non-root users, and you cannot disable this feature. The authorization applies to both the J-Web interface and the CLI. As shown in this example, a configured hierarchy of authorization components defines whether a command is authorized. At the highest level, the configuration of user accounts defines authorization parameters. Multiple remotely authenticated users can be mapped to a locally defined template user. Users are members of a single login class. A login class is a named container that groups together a set of one or more permission flags. Login classes can also specify that the permission flags should be overridden for certain commands. You can configure custom login classes, but four predefined login classes exist to handle most situations. These classes and associated permission flags are : The super-user class that has all permissions, the operator class that has clear network, reset, trace and view permissions, the read-only class that has view permissions, and the unauthorized class that has no permissions. The predefined permission flags that group together the authorization of related commands are shown here. The permission flag details are shown in parts here. You can also view these permission flag details from the resources section of this module. The configurable permissions might vary between Junos devices and software versions. Refer to the technical publications for your specific device and version of Junos OS. You can use the deny commands, allow commands, deny configuration, and allow configuration statements to define regular expressions that match operational commands or configuration statements. Matches are explicitly allowed or denied regardless of whether you set the corresponding permission flags. Junos OS applies the deny statements before the corresponding allow statements, resulting in the authorization of commands that match both. Junos OS permits you to configure access settings based on the time of the day using the access-end, access-start and allow-day statements. This configuration example shows how the various authorization components are configured. User Nancy is a member of the noc-admin class. The noc-admin class has the clear network, reset, and view permissions. In addition, the noc-admin class can enter configuration mode using the configure private command, and it's permitted to alter configuration parameters at the edit interfaces and edit firewall hierarchy levels. The noc-admin class is denied the ability to manipulate files using the operational modes file command and are specifically excluded from navigating to or viewing configuration details at the [edit groups] hierarchy level.
