Junos OS

last person joined: 13 hours ago 

Ask questions and share experiences about Junos OS.

  • 1.  Creating login class

    Posted 09-14-2011 08:14

    Hello all,

     

    Right now I would like to create a custom login class for a group of users that will only be allowed to create user / pass (this is for a support group) and save the config and update the resuce config.

     

    My missing piece here is - what "expressions" to use for the group I create to allow only what is mentioned above and lock them out of everything else, as well I would like an error message for invalid commands attempted if possible.

     

    The below config is from an example I found...the items in bold will not be used, yet I am looking for correct key words

    to get this going.

     

    [edit]system {login {class access-support {idle-timeout 5;permissions [ admin clear configure interface interface-control networkreset routing routing-control snmp snmp-control trace-control firewall-control rollback ];

    Thanks

     



  • 2.  RE: Creating login class
    Best Answer

    Posted 09-14-2011 11:07

    Hi

     

    You can start with this example

     

    class access-support {
        allow-commands "configure|(request system configuration rescue save)";
        allow-configuration "system login";
    }

     

    Users of this class will not be able to configure anything except [system login]. However, note that they will be able to create a super-user account and login through it, so this is unsatisfactory from security point of view. So the above example must be modified in some way to meet your exact reqirements.