If you are using the RADIUS Service-Type attribute to assign access levels, the system
sets the Initial-Auth-Level as follows:
■ If the Service-Type attribute is set to administrative, then the Initial-Auth-Level
is set to 10.
■ If the Service-Type attribute is set to nas prompt or login, the Initial-Auth-Level
is set to 1.
Per-User Enable Authentication
After a user has been authenticated through RADIUS, the RADIUS server provides
the E Series router with the names of the privilege levels (for example, 10 ) that the
user has enable access to. When the user attempts to access a privilege level through
the enable command, the system either denies or approves the user’s request.
The decision to deny or approve the user’s request is based on the list the system
received through RADIUS. See Table 47 on page 447.
Table 47: Juniper Networks–Specific CLI Access VSA Descriptions
Value
Subtype
LengthSubtypeLengthTypeDescriptionVSA
Single attribute;
enter only: 0, 1,
5, 10, or 15
sublen18len26Specifies the initial
level of access to
CLI commands.
Initial-CLI-
Access-Level
Single attribute;
enter only: 0, 1,
5, 10, or 15
sublen20len26Specifies level of
access to CLI
commands.
Alt-CLI-
Access-Level
NOTE: All levels to which a user can have access must explicitly be specified in the
Admin-Auth-Set VSA.
The user is not prompted for a password, because the system knows whether or not
the user should have access to the requested level. If the user is not authenticated
through RADIUS, the router uses the system-wide enable passwords instead.
Restricting Access to Virtual Routers
You can use RADIUS authentication to specify whether users can access all virtual
routers (VRs), one specific VR, or a set of specific VRs.
NOTE: This classification is independent of the command access levels configurable
through the Initial-CLI-Access-Level VSA.
Restricting User Access ■ 447
Chapter 7: Passwords and Security
To Next Page
Loading...