After the router is installed and operational and the software is configured, several basic setup procedures should be performed. These include configuring user accounts so that various users can access the router, configuring login classes to allow different levels of access, configuring user authentication to validate users, and configuring the time zone and network time protocols. Configuring User Accounts
User accounts provide one way for users to access the router. For each account, the login name for the user and, optionally , information that identifies the user are defined. After an account is created, the software creates a home directory for the user. To create user accounts, include the user statement at the [edit system login] hierarchy level: [edit system] login { user user-name { full-name complete-name ; uid uid-value ; class class-name ; authentication { (encrypted-password " password " plain-text-password); ssh-rsa " public-key "; ssh-dsa " public-key "; } } } The following properties can be defined for each account:
[edit system] user@host# set root-authentication plain-text- password New password: type password here Retype new password: retype password here For ssh authentication, the contents of an ssh keys file can be copied into the configuration. To load an ssh key file, include the load-key-file statement in the root-authentication statement. This option loads RSA (ssh version 1) and DSA (ssh version 2) public keys. A user's authentication can also be configured to use ssh-rsa and ssh-dsa keys. If the ssh keys file is loaded, the contents of the file are copied into the configuration immediately after the load-key-file statement is entered. To view the ssh keys entries, use the configuration mode show command. An account for the user root is always present in the configuration. [edit system] user@host# set root-authentication load-key-file my-host:.ssh/identity.pub .file.19692 0 KB 0.3 kB/s ETA: 00:00:00 100% [edit system] user@host# show root-authentication { ssh- rsa "1024 35 97276382040842510554682267572498642416303 222074049625283903820386901415845349641700196106083587 229615634757849182736033612764418742659468932077391083 448101268312595772262546166799927831612350043866091586 628382248974673260566119218148953981396556156378621194 032768780653816960202749164163735913269396344008443 boojum@juniper.net"; # SECRET-DATA } Configuring Login ClassesUser access to the router is configured by defining login classes. All users who log in to the router must be in a login class. Any number of login classes can be defined. The properties defined in a login class include user access privileges, commands, and statements users can and cannot specify, and how long a login session can be idle before it times out and the user is logged off. To define a login class and its access privileges, include the class statement: [edit system login] class class-name { allow-commands " regular-expression "; deny-commands " regular-expression "; idle-timeout minutes ; permissions [ permissions ]; } Use class-name to name the login class. The software contains a few predefined login classes, which cannot be modified.
If the set command is issued on a predefined class name, the JUNOS software appends -local to the login class name. The following message is also displayed: warning: '< classname >' is a predefined class name; changing to '< classname >-local' The rename or copy commands cannot be used on a predefined login class. Doing so results in the following message: error: target '< classname >' is a predefined class Configuring Access Privilege LevelsEach top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission bits. To configure access privilege levels, include the permissions statement: [edit system login class] permissions [ permissions ]; In permissions , specify one or more of the permission bits listed in Table 4.10. The default permission bits are listed in Table 4.11. Permission bits are not cumulative, so for each class list all the bits needed, including view to display information and configure to enter configuration mode. Two forms for the permissions control the individual parts of the configuration:
Table 4.10. Login Class Permission Bits
Table 4.11. Default System Login Classes
Denying or Allowing Individual CommandsBy default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, individual commands normally associated with a given privilege level can be explicitly denied or allowed (using operational mode commands). One deny-commands and one allow-commands statement can be included in each login class. To explicitly deny a command that would otherwise be permitted, include the deny-commands statement: [edit system login class class-name ] deny-commands regular-expression ; To explicitly allow additional commands that would otherwise be denied, include the allow-commands statement: [edit system login class class-name ] allow-commands regular-expression ; If the regular-expression contains any spaces, operators, or wildcard characters , enclose it in quotation marks. Regular expressions are not case-sensitive. Extended regular expressions are used to specify which commands are denied or allowed. These regular expressions can be specified in the allow-commands and deny-commands statements at the [edit system login class] hierarchy level or as JUNOS-specific attributes in the RADIUS authentication server's configuration. If regular expressions are received during RADIUS authentication, they override any regular expressions configured on the local router. Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 4.12 lists common regular expression operators. Configuring the Timeout Value for Idle Login SessionsAn idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the router, even if that session is idle. To close idle sessions automatically, a time limit can be configured for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes . Table 4.12. Common Regular Expression Operators
To define the timeout value for idle login sessions, include the idle-timeout statement. Specify the number of minutes that a session can be idle before it is automatically closed. [edit system login class class-name ] idle-timeout minutes ; If a timeout value has been configured, the CLI displays messages similar to the following starting 5 minutes before timing out the user: user@host# Session will be closed in 5 minutes if there is no activity. Warning: session will be closed in 1 minute if there is no activity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session The session closes after the specified time has elapsed except if the user is running Telnet or monitoring interfaces using the monitor interface or monitor traffic command. Configuring User AuthenticationThe router can be configured to use RADIUS or TACACS+ authentication, or both, to validate users who attempt to access the router. If both authentication methods are used, the preference of which authentication method the router will use first can also be configured. User authentication can be configured by configuring RADIUS authentication, TACACS+ authentication, template accounts for RADIUS and TACACS+ authentication, and the authentication order. RADIUS AuthenticationTo use RADIUS authentication on the router, configure information about one or more RADIUS servers on the network by including the radius-server statement: [edit system] radius-server server-address { port number ; secret password ; retry number ; timeout seconds ; } In server-address , specify the address of the RADIUS server. A port number on which to contact the RADIUS server can be specified. By default, port number 1812 is used (as specified in RFC 2138). A password must be specified in the secret statement. Passwords can contain spaces. The secret used by the local router must match that used by the server. To configure multiple RADIUS servers, include multiple radius-server statements.
Optionally, the amount of time that the local router waits to receive a response from a RADIUS server (in the timeout statement) and the number of times that the router attempts to contact a RADIUS authentication server (in the retry statement) can be specified. By default, the router waits 3 seconds. The value can be in the range of 1 through 90 seconds. By default, the router retries connecting to the server 3 times. This value can be in the range of 1 through 10 times. The JUNOS software supports the configuration of Juniper Networks-specific RADIUS attributes. These attributes are known as vendor-specific attributes and are described in RFC 2138, Remote Authentication Dial-In User Service ( RADIUS ). The Juniper Networks-specific attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 4.13 lists the configurable Juniper Networks-specific RADIUS attributes. Table 4.13. Juniper Networks “Specific RADIUS Attributes
TACACS+ AuthenticationTo use TACACS+ authentication on the router, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement: [edit system] tacplus-server server-address { secret password ; single-connection; timeout seconds ; } In server-address , specify the address of the TACACS+ server. A secret (password) that the local router passes to the TACACS+ client (in the secret statement) must be specified. Secrets can contain spaces. The secret used by the local router must match that used by the server. Optionally, specify the length of time that the local router waits to receive a response from a TACACS+ server (in the timeout statement). By default, the router waits 3 seconds. The value can be in the range of 1 through 90 seconds. Optionally, the software can maintain one open TCP connection to the server for multiple requests , rather than opening a connection for each connection attempt, thus optimizing attempts to connect to a TACACS+ server. To do this, include the single-connection statement. Early versions of the TACACS+ server do not support a single TCP connection. If the single-connection statement is configured and the server does not support it, the JUNOS software will be unable to communicate with that TACACS+ server. To configure multiple TACACS+ servers, include multiple tacplus-server statements.
The TACACS+ attributes listed in Table 4.14 are specific to Juniper Networks. They are specified in the TACACS+ server configuration file on a per-user basis. The JUNOS software retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. These attributes do not need to be configured to run JUNOS software with TACACS+. To configure these attributes, include a service statement in the TACACS+ server configuration file of the following form in a user or group statement: service = junos-exec { local-user-name = <username-local-to-router> allow-commands = "<allow-commands-regexp>" deny-commands = "<deny-commands-regexp>" } Table 4.14. Juniper Networks-Specific TACACS+ Attributes
Creating Template Accounts for RADIUS and TACACS+ AuthenticationWhen local password authentication is used, a local user account must be created for every user who wants to access the system. However, when using RADIUS or TACACS+ authentication, single accounts can be created (for authorization purposes) that are shared by a set of users. These accounts are created using the remote and local user template accounts. When a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account. By default, the JUNOS software uses the remote template account when the authenticated user does not exist locally on the router, the authenticated user's record in the authentication server specifies local user, or local user is specified as a user that does not exist locally on the router. To configure a remote template account, include the username remote and specify the privileges you want to provide to these remote users: [edit system login] user remote { full-name "All remote users"; uid uid-value ; class class-name ; } To configure different access privileges for users who share the remote template account, include the allow-commands and deny-commands commands on the authentication server configuration file. Local User Template AccountsLocal user template accounts are used when different types of templates are needed. Each template can define a different set of permissions appropriate for the group of users who use that template. These templates are defined locally on the router and referenced by the TACACS+ and RADIUS authentication servers. When local user templates are configured and a user logs in, the JUNOS software issues a request to the authentication server to authenticate the user's login name. If a user is authenticated, the server returns the local username to the JUNOS software, which then determines whether a local username is specified for that login name (local-username for TACACS+, Juniper-Local-User for RADIUS). If so, the JUNOS software selects the appropriate local user template locally configured on the router. If a local user template does not exist for the authenticated user, the router defaults to the remote template. To configure different access privileges for users who share the local user template account, include the allow-commands and deny-commands commands in the authentication server configuration file. To configure the local user template, include the local username and specify the privileges to provide to these local users: [edit system login] user local-user-name { full-name "local user account"; uid uid-value ; class class-name ; } Configuring the Authentication OrderIf the router is configured to be both a RADIUS and TACACS+ client (by including the radius-server and tacplus-server statements), the order in which the software tries the different authentication methods when verifying that a user can access the router can be configured. For each login attempt, the JUNOS software tries the authentication methods in order, starting with the first one, until the password matches. To configure the authentication order, include the authentication-order statement: [edit system] authentication-order [ authentication-methods ]; Specify one or more of the following in the preferred order, from first tried to last tried:
If the authentication-order statement is not included, users are verified based on their configured passwords. Configuring TimeThe default local time zone on the router is UTC (Coordinated Universal Time, formerly known as Greenwich Mean Time). To modify the local time zone, include the time-zone statement:
[edit system] time-zone time-zone ; Specify the time-zone using the continent /country/zone primary name. For the time zone change to take effect for all processes running on the router, the router must be rebooted. Configuring the Network Time ProtocolThe Network Time Protocol (NTP) provides mechanisms to synchronize time and coordinate time distribution in a large, diverse network. NTP uses a returnable-time design in which a distributed subnet of time servers operating in a self-organizing , hierarchical master-slave configuration synchronizes local clocks within the subnet and to national time standards by means of wire or radio. The servers also can redistribute reference time using local routing algorithms and time daemons.
To configure NTP on the router, include the ntp statement: [edit system] ntp { authentication-key number type type value password ; boot-server address ; broadcast < address > <key key-number > <version value > <ttl value >; broadcast-client; multicast-client < address >; peer address <key key-number > <version value > <prefer>; server address <key key-number > <version value > <prefer>; trusted-key [ key-numbers ]; } When configuring NTP, time servers are not actively configured. Rather, all clients also act as servers. An NTP server is not believed unless it, in turn , is synchronized to another NTP server ”which itself must be synchronized to something upstream, eventually terminating in a high-precision clock. If the time difference between the local router clock and the NTP server clock is more than 128 milliseconds , but less than 128 seconds, the clocks are slowly stepped into synchronization. However, if the difference is more than 128 seconds, the clocks are not synchronized. The time must be set on the local router so that the difference is less than 128 seconds to start the synchronization process. On the local router, the date and time must be set using the set date command. To set the time automatically, include the boot-server statement. When the router is booted , it issues an ntpdate request, which polls a network server to determine the local date and time. A server that the router uses to determine the time when the router boots must be specified. Otherwise, NTP is not able to synchronize to a time server if the server's time appears to be very far off the local router's time. To configure the NTP boot server, include the boot-server statement, specifying the address of an NTP server. Do not specify a hostname. [edit system ntp] boot-server address ; For NTP, the system on the network that acts as the authoritative time source (or time server) and how time is synchronized between systems on the network can be configured. To do this, the router is configured to operate in one of the following modes:
Symmetric active mode can be initiated by either the local or remote system. Only one system needs to be configured to do so. This means that the local system can synchronize to any system that offers symmetric active mode without any configuration whatsoever. NOTE Juniper Networks strongly recommends configuring authentication to ensure that the local system synchronizes only to known time servers. Configure the Router to Operate in Client ModeTo configure the local router to operate in client mode, include the server statement: [edit system ntp] server address <key key-number > <version value > <prefer>; Specify the address of the system acting as the time server. An address, not a hostname, must be specified. To include an authentication key in all messages sent to the time server, include the key option. The key corresponds to the key number specified in the authentication-key statement as described in "Configuring NTP Authentication Keys" on page 141. By default, the router sends NTP version 3 packets to the time server. To set the NTP version level to 1 or 2, include the version option. If more than one time server is configured, one server can be marked as being preferred by including the prefer option. Configure the Router to Operate in Symmetric Active ModeTo configure the local router to operate in symmetric active mode, include the peer statement: [edit system ntp] peer address <key key-number > <version value > <prefer>; Specify the address of the remote system. An address must be specified, not a hostname. To include an authentication key in all messages sent to the remote system, include the key option. The key corresponds to the key number specified in the authentication-key statement as described in the section "Configuring NTP Authentication Keys" on page 141. By default, the router sends NTP version 3 packets to the remote system. To set the NTP version level to 1 or 2, include the version option. If more than one remote system is configured, include the prefer option to mark one system as being preferred. Configure the Router to Operate in Broadcast ModeTo configure the local router to operate in broadcast mode, include the broadcast statement: [edit system ntp] broadcast address <key key-number > <version value > <ttl value >; Specify the broadcast address on one of the local networks or a multicast address assigned to NTP. An address must be specified, not a hostname. The multicast address must be 224.0.1.1 . To include an authentication key in all messages sent to the remote system, include the key option. The key corresponds to the key number specified in the authentication-key statement as described in the section "Configuring NTP Authentication Keys" on page 141. By default, the router sends NTP version 3 packets to the remote system. To set the NTP version level to 1 or 2, include the version option. Configuring NTP Authentication KeysTime synchronization can be authenticated to ensure that the local router obtains its time services only from known sources. By default, network time synchronization is unauthenticated. The router synchronizes to whatever system appears to have the most accurate time. Juniper Networks strongly recommends configuring authentication of network time services. To authenticate other time servers, include the trusted-key statement. Only time servers transmitting network time packets that contain one of the specified key numbers and whose key matches the value configured for that key number are eligible to be synchronized to. Other systems can synchronize to the local router without being authenticated. [edit system ntp] trusted-key [ key-numbers ]; Each key can be any 32-bit unsigned integer except 0. Include the key option in the peer , server , or broadcast statements to transmit the specified authentication key when transmitting packets. The key is necessary if the remote system has authentication enabled so that it can synchronize to the local system. To define the authentication keys, include the authentication-key statement: [edit system ntp] authentication-key key-number type type value password ; number is the key number, type is the authentication type (either MD5 or DES), and password is the password for this key. The key number, type, and password must match on all systems using that particular key for authentication. Configuring the Router to Listen for Broadcast MessagesWhen NTP is being used, the local router can be configured to listen for broadcast messages on the local network to discover other servers on the same subnet by including the broadcast-client statement: [edit system ntp] broadcast-client; When the router hears a broadcast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. Then, it enters broadcast client mode, in which it listens for, and synchronizes to, succeeding broadcast messages. To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier. Configuring the Router to Listen for Multicast MessagesWhen using NTP, the local router can be configured to listen for multicast messages on the local network to discover other servers on the same subnet by including the multicast-client : [edit system ntp] multicast-client < address >; When the router hears a multicast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. Then, it enters multicast client mode, in which it listens for, and synchronizes to, succeeding multicast messages. One or more IP addresses can be specified. An address must be specified, not a hostname. If an address is specified, the router joins those multicast groups. If no address is specified, the software uses 224.0.1.1 . To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier. |