Users can be created locally on a Junos device. Each user must have a password set. This may be done with the plain-text-password keyword.
This can be misleading. This does not mean the password is stored in plain text. It means that you’re about to enter the password in plain text. Once the password is entered, it is encrypted and stored in config.
Additionally, each user needs to have a class set. Classes define the level of permissions the user has, such as what commands they can run.
There are several built-in classes, but custom classes are also supported.
- In addition to local authentication, external authentication is also supported. This includes RADIUS and TACACS+ servers.
- More than one authentication server can be configured. If the first one is not working, then the next is the list is consulted.
- We can even configure local authentication as a fallback, in case the device can’t reach any external authentication server.
Common login class permissions include:
- System – See system level information, including the configuration of the system hierarchy
- View-configuration – Can view all the hierarchy (with some small exceptions)
- Network – Access network commands (ping, traceroute, telnet, ssh)
- Configure – Enable entering configuration mode
- Firewall – Can view firewall configuration
- Interface – Can view interface configuration
|set system login user||Configuration||Create a new user|
|set system login user NAME class||Configuration||Set a user’s class|
|set system login class||Configuration||Create a new class|
|set system login class NAME permissions||Configuration||Assign permissions to a class|
|set system login class NAME allow-command||Configuration||Allows specific command|
|set system radius-server||Configuration||Configure a RADIUS server|
|set system authentication-order||Configuration||Set the method of authentication used, and optional fallback|