Routing
Reply
Contributor
aeroplane
Posts: 723
Registered: ‎06-30-2009
0

AAA in JUNOS

Hi Experts

 

I want to allow few users to configure and view only system related configurations. How I can do that? 

 

Thanks

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: AAA in JUNOS

If I understand you correctly; add a login-class with permissions in blue, assign user to that login-class.

 

access Can view access configuration
access-control Can modify access configuration
admin Can view user accounts
admin-control Can modify user accounts
all All permission bits turned on
clear Can clear learned network info
configure Can enter configuration mode
control Can modify any config
field Can use field debug commands
firewall Can view firewall configuration
firewall-control Can modify firewall configuration
floppy Can read and write the floppy
flow-tap Can view flow-tap configuration
flow-tap-control Can modify flow-tap configuration
flow-tap-operation Can tap flows
idp-profiler-operation Can Profiler data
interface Can view interface configuration
interface-control Can modify interface configuration
maintenance Can become the super-user
network Can access the network
pgcp-session-mirroring Can view pgcp session mirroring configuration
pgcp-session-mirroring-control Can modify pgcp session mirroring configuration
reset Can reset/restart interfaces and daemons
rollback Can rollback to previous configurations
routing Can view routing configuration
routing-control Can modify routing configuration
secret Can view secret statements
secret-control Can modify secret statements
security Can view security configuration
security-control Can modify security configuration
shell Can start a local shell
snmp Can view SNMP configuration
snmp-control Can modify SNMP configuration
system Can view system configuration
system-control Can modify system configuration
trace Can view trace file settings
trace-control Can modify trace file settings
view Can view current values and statistics
view-configuration Can view all configuration (not including secrets)

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Contributor
aeroplane
Posts: 723
Registered: ‎06-30-2009
0

Re: AAA in JUNOS

Hi Adam

 

1- I created one class name "test" give the permissions "configure" and "system-control"

2- I created one user name "test" and assign the class "test" to it as created in step 1

 

BUT when I login through test user, I still can view other confiugrations part and also can do configurations in other directories like SMTP etc.

 

test@srx650# set ?

Possible completions:

> access-profile       Access profile for this instance

> applications         Define applications by protocol characteristics

+ apply-groups         Groups from which to inherit configuration data

> ethernet-switching-options  Ethernet-switching configuration options

> groups               Configuration groups

> schedulers           Security scheduler

> services             Service PIC applications settings

> smtp                 Simple Mail Transfer Protocol service configuration

> system               System parameters

> vlans                VLAN configuration

 

test@srx650# show ?
Possible completions:
  <[Enter]>            Execute this command
> access-profile       Access profile for this instance
> applications         Define applications by protocol characteristics
+ apply-groups         Groups from which to inherit configuration data
> ethernet-switching-options  Ethernet-switching configuration options
> groups               Configuration groups
> schedulers           Security scheduler
> services             Service PIC applications settings
> smtp                 Simple Mail Transfer Protocol service configuration
> system               System parameters
> vlans                VLAN configuration
  |                    Pipe through a command

 

Can you please suggest what is missing?

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: AAA in JUNOS

Looks like "system" is more than just [ edit system ], guess you could use "deny-configuration" under the class to filter out what you don't want.
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Regular Visitor
jasonlai
Posts: 7
Registered: ‎08-09-2010
0

Re: AAA in JUNOS

Hi,

 

From this example below, you can view that with deny configuration regex i'm disallowing system login class & system services configuration mode to ops-ro-global class.

 

jasonlai@test123> show configuration system
tacplus-server {
   x.x.x.x secret /* SECRET-DATA */; ## SECRET-DATA
   y.y.y.y secret /* SECRET-DATA */; ## SECRET-DATA
}
accounting {
    events [ login change-log interactive-commands ];
    destination {
        tacplus {
            server {
                203.208.154.212 {
                    secret /* SECRET-DATA */; ## SECRET-DATA
                    single-connection;
                }
            }
        }
    }
}
login {
    message "PERSONNEL ONLY";
    class admin {
        idle-timeout 10;
        permissions all;
    }
    class op-ro-global {
        idle-timeout 10;
        permissions [ clear network reset system trace view view-configuration ];
        deny-configuration "(system login class) | (system services)"
    }
    class operator-local {
        idle-timeout 20;
        permissions [ clear network reset trace view ];
    }
    user admin {
        full-name "Network Administrators";
        uid 7473;
        class admin;
    }
    user op-ro-global {
        full-name "Network Operators";
        uid 2002;
        class op-ro-global;
    }
    user test123 {
        full-name " access acount";
        uid 2004;
        class admin;
        authentication {
            encrypted-password /* SECRET-DATA */; ## SECRET-DATA
        }
    }
}
services {
    ssh {
        root-login deny;
        connection-limit 10;
        rate-limit 10;
    }
}


Cheers,

Jason Kalai

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.