Basic Software Setup | Juniper Networks Field Guide and Reference

After the router is installed and operational and the software is configured, several basic setup procedures should be performed. These include configuring user accounts so that various users can access the router, configuring login classes to allow different levels of access, configuring user authentication to validate users, and configuring the time zone and network time protocols.

Configuring User Accounts

Users can access the router without accounts if RADIUS or TACACS+ servers are configured, as described in "Configuring User Authentication" on page 131.

User accounts provide one way for users to access the router. For each account, the login name for the user and, optionally , information that identifies the user are defined. After an account is created, the software creates a home directory for the user.

To create user accounts, include the user statement at the [edit system login] hierarchy level:

 [edit system]  login {   user  user-name  {     full-name  complete-name  ;     uid  uid-value  ;     class  class-name  ;     authentication {       (encrypted-password "  password  "  plain-text-password);       ssh-rsa "  public-key  ";       ssh-dsa "  public-key  ";     }   } }

The following properties can be defined for each account:

Username ”(Optional) Name that identifies the user. It must be unique within the router. Do not include spaces, colons, or commas in the username.
User's full name ”(Optional) If the full name contains spaces, enclose it in quotation marks. Do not include colons or commas.
User identifier (UID) ”(Optional) Numeric identifier that is associated with the user account name. The identifier must be in the range 100 through 64,000 and must be unique within the router. If a UID is not assigned to a username, the software assigns one when the configuration is committed, preferring the lowest available number.
User's access privilege ”(Required) One of the login classes defined in the class statement at the [edit system login] hierarchy level or one of the default classes listed in Table 4.10 on page 128.
Authentication method or methods and passwords that the user can use to access the router ”(Optional) The authentication method used can be an ssh or an MD5 password, or a plain-text password that the JUNOS software encrypts using MD5-style encryption before entering it in the password database. For each method, the user's password can be specified. If the plain-text-password option is used, the user is prompted to enter and confirm the password:

 [edit system]  user@host#  set root-authentication plain-text-   password  New password:  type password here  Retype new password:  retype password here

For ssh authentication, the contents of an ssh keys file can be copied into the configuration. To load an ssh key file, include the load-key-file statement in the root-authentication statement. This option loads RSA (ssh version 1) and DSA (ssh version 2) public keys. A user's authentication can also be configured to use ssh-rsa and ssh-dsa keys.

If the ssh keys file is loaded, the contents of the file are copied into the configuration immediately after the load-key-file statement is entered. To view the ssh keys entries, use the configuration mode show command. An account for the user root is always present in the configuration.

 [edit system]  user@host#  set root-authentication load-key-file my-host:.ssh/identity.pub  .file.19692                         0 KB    0.3 kB/s  ETA: 00:00:00  100% [edit system] user@host#  show  root-authentication { ssh- rsa "1024 35 97276382040842510554682267572498642416303 222074049625283903820386901415845349641700196106083587 229615634757849182736033612764418742659468932077391083 448101268312595772262546166799927831612350043866091586 628382248974673260566119218148953981396556156378621194 032768780653816960202749164163735913269396344008443 boojum@juniper.net"; # SECRET-DATA }

Configuring Login Classes

User access to the router is configured by defining login classes. All users who log in to the router must be in a login class. Any number of login classes can be defined. The properties defined in a login class include user access privileges, commands, and statements users can and cannot specify, and how long a login session can be idle before it times out and the user is logged off.

To define a login class and its access privileges, include the class statement:

 [edit system login]  class  class-name  {   allow-commands "  regular-expression  ";   deny-commands "  regular-expression  ";   idle-timeout  minutes  ;   permissions [  permissions  ]; }

Use class-name to name the login class. The software contains a few predefined login classes, which cannot be modified.

Predefined login class names cannot be modified.

If the set command is issued on a predefined class name, the JUNOS software appends -local to the login class name. The following message is also displayed:

 warning: '<  classname  >' is a predefined class name; changing to '<  classname  >-local'

The rename or copy commands cannot be used on a predefined login class. Doing so results in the following message:

 error: target '<  classname  >' is a predefined class

Configuring Access Privilege Levels

Each top-level CLI command and each configuration statement has an access privilege level associated with it. Users can execute only those commands and configure and view only those statements for which they have access privileges. The access privileges for each login class are defined by one or more permission bits.

To configure access privilege levels, include the permissions statement:

 [edit system login class]  permissions [  permissions  ];

In permissions , specify one or more of the permission bits listed in Table 4.10. The default permission bits are listed in Table 4.11. Permission bits are not cumulative, so for each class list all the bits needed, including view to display information and configure to enter configuration mode. Two forms for the permissions control the individual parts of the configuration:

"Plain" form ”Provides read-only capability for that permission type. An example is interface .
Form that ends in -control ”Provides read and write capability for that permission type. An example is interface-control .

Table 4.10. Login Class Permission Bits

Permission Bit	Description
`admin`	Can view user account information in configuration mode and with the `show configuration` command.
`admin-control`	Can view user accounts and configure them (at the `[edit system login]` hierarchy level).
`all`	Has all permissions.
`clear`	Can clear (delete) information learned from the network that is stored in various network databases (using the `clear` commands).
`configure`	Can enter configuration mode (using the `configure` command) and commit configurations (using the `commit` command).
`control`	Can perform all control-level operations (all operations configured with the `-control` permission bits).
`edit`	Can edit all portions of a configuration, can load a configuration from an ASCII file, and can commit new and modified configurations (using all the commands in configuration mode).
`field`	Reserved for field (debugging) support.
`firewall`	Can view the firewall filter configuration in configuration mode.
`firewall-control`	Can view and configure firewall filter information (at the `[edit firewall]` hierarchy level).
`floppy`	Can read from and write to the removable media.
`interface`	Can view the interface configuration in configuration mode and with the `show configuration` operational mode command.
`interface-control`	Can view interface configuration information and configure interfaces (at the `[edit interfaces]` hierarchy level).
`maintenance`	Can perform system maintenance, including starting a local shell on the router and becoming the superuser in the shell (by issuing the `su root` command), and can halt and reboot the router (using the `request system` commands).
`network`	Can access the network by entering the `ping` , `ssh` , `telnet` , and `traceroute` commands.
`reset`	Can restart software processes using the `restart` command and can configure whether software processes are enabled or disabled (at the `[edit system processes]` hierarchy level).
`rollback`	Can use the `rollback` command to return to a previously committed configuration other than the most recently committed one.
`routing`	Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.
`routing-control`	Can view general routing, routing protocol, and routing policy configuration information and configure general routing (at the `[edit routing-options]` hierarchy level), routing protocols (at the `[edit protocols]` hierarchy level), and routing policy (at the `[edit policy-options]` hierarchy level).
`secret`	Can view passwords and other authentication keys in the configuration.
`secret-control`	Can view passwords and other authentication keys in the configuration and can modify them in configuration mode.
`shell`	Can start a local shell on the router by entering the `start shell` command.
`snmp`	Can view SNMP configuration information in configuration and operational modes.
`snmp-control`	Can view SNMP configuration information and configure SNMP (at the `[edit snmp]` hierarchy level).
`system`	Can view system-level information in configuration and operational modes.
`system-control`	Can view system-level configuration information and configure it (at the `[edit system]` hierarchy level).
`trace`	Can view trace file settings in configuration and operational modes.
`trace-control`	Can view trace file settings and configure trace file properties.
`view`	Can use various commands to display current systemwide , routing table, and protocol-specific values and statistics.

Table 4.11. Default System Login Classes

Login Class	Permission Bits Set
`operator`	`clear` , `network` , `reset` , `trace` , `view`
`read-only`	`view`
`super-user`	`all`
`unauthorized`	None

Denying or Allowing Individual Commands

By default, all top-level CLI commands have associated access privilege levels. Users can execute only those commands and view only those statements for which they have access privileges. For each login class, individual commands normally associated with a given privilege level can be explicitly denied or allowed (using operational mode commands). One deny-commands and one allow-commands statement can be included in each login class.

To explicitly deny a command that would otherwise be permitted, include the deny-commands statement:

 [edit system login class  class-name  ]  deny-commands  regular-expression  ;

To explicitly allow additional commands that would otherwise be denied, include the allow-commands statement:

 [edit system login class  class-name  ]  allow-commands  regular-expression  ;

If the regular-expression contains any spaces, operators, or wildcard characters , enclose it in quotation marks. Regular expressions are not case-sensitive.

Extended regular expressions are used to specify which commands are denied or allowed. These regular expressions can be specified in the allow-commands and deny-commands statements at the [edit system login class] hierarchy level or as JUNOS-specific attributes in the RADIUS authentication server's configuration. If regular expressions are received during RADIUS authentication, they override any regular expressions configured on the local router.

Command regular expressions implement the extended (modern) regular expressions as defined in POSIX 1003.2. Table 4.12 lists common regular expression operators.

Configuring the Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the router, even if that session is idle. To close idle sessions automatically, a time limit can be configured for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes .

Table 4.12. Common Regular Expression Operators

Operator	Match Conditions
	One of the two terms on either side of the pipe.
`^`	At the beginning of an expression, used to denote where the command begins, where there might be some ambiguity.
`$`	Character at the end of a command. Used to denote a command that must be matched exactly up to that point. For example, `allow-commands "show interfaces $"` means that the user cannot issue `show interfaces detail` or `show interfaces extensive` .
`[ ]`	Range of letters or digits. To separate the start and end of a range, use a hyphen ( `-` ).
`( )`	A group of commands, indicating an expression to be evaluated; the result is then evaluated as part of the overall expression.

To define the timeout value for idle login sessions, include the idle-timeout statement. Specify the number of minutes that a session can be idle before it is automatically closed.

 [edit system login class  class-name  ]  idle-timeout  minutes  ;

If a timeout value has been configured, the CLI displays messages similar to the following starting 5 minutes before timing out the user:

 user@host# Session will be closed in 5 minutes if there is  no activity. Warning: session will be closed in 1 minute if there is no activity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session

The session closes after the specified time has elapsed except if the user is running Telnet or monitoring interfaces using the monitor interface or monitor traffic command.

Configuring User Authentication

The router can be configured to use RADIUS or TACACS+ authentication, or both, to validate users who attempt to access the router. If both authentication methods are used, the preference of which authentication method the router will use first can also be configured.

User authentication can be configured by configuring RADIUS authentication, TACACS+ authentication, template accounts for RADIUS and TACACS+ authentication, and the authentication order.

RADIUS Authentication

To use RADIUS authentication on the router, configure information about one or more RADIUS servers on the network by including the radius-server statement:

 [edit system]  radius-server  server-address  {   port  number  ;   secret  password  ;   retry  number  ;   timeout  seconds  ; }

In server-address , specify the address of the RADIUS server.

A port number on which to contact the RADIUS server can be specified. By default, port number 1812 is used (as specified in RFC 2138).

A password must be specified in the secret statement. Passwords can contain spaces. The secret used by the local router must match that used by the server.

To configure multiple RADIUS servers, include multiple radius-server statements.

To configure a set of users that share a single account for authorization purposes, create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in "Creating Template Accounts for RADIUS and TACACS+ Authentication" on page 135.

Optionally, the amount of time that the local router waits to receive a response from a RADIUS server (in the timeout statement) and the number of times that the router attempts to contact a RADIUS authentication server (in the retry statement) can be specified. By default, the router waits 3 seconds. The value can be in the range of 1 through 90 seconds. By default, the router retries connecting to the server 3 times. This value can be in the range of 1 through 10 times.

The JUNOS software supports the configuration of Juniper Networks-specific RADIUS attributes. These attributes are known as vendor-specific attributes and are described in RFC 2138, Remote Authentication Dial-In User Service ( RADIUS ). The Juniper Networks-specific attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 4.13 lists the configurable Juniper Networks-specific RADIUS attributes.

Table 4.13. Juniper Networks “Specific RADIUS Attributes

Name	Description	Type	Length	String
`Juniper-Local-User-Name`	Indicates the name of the user template used by this user when logging in to a device. This attribute is used only in Access-Accept packets.	1	3	One or more octets containing printable ASCII characters.
`Juniper-Allow-Commands`	Contains an extended regular expression that allows the user to run commands in addition to the commands authorized by the user's login class permission bits. This attribute is used only in Access-Accept packets.	2	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.
`Juniper-Deny-Commands`	Contains an extended regular expression that denies the user permission to run commands authorized by the user's login class permission bits. This attribute is used only in Access-Accept packets.	3	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.

TACACS+ Authentication

To use TACACS+ authentication on the router, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement:

 [edit system]  tacplus-server  server-address  {   secret  password  ;   single-connection;   timeout  seconds  ; }

In server-address , specify the address of the TACACS+ server.

A secret (password) that the local router passes to the TACACS+ client (in the secret statement) must be specified. Secrets can contain spaces. The secret used by the local router must match that used by the server.

Optionally, specify the length of time that the local router waits to receive a response from a TACACS+ server (in the timeout statement). By default, the router waits 3 seconds. The value can be in the range of 1 through 90 seconds.

Optionally, the software can maintain one open TCP connection to the server for multiple requests , rather than opening a connection for each connection attempt, thus optimizing attempts to connect to a TACACS+ server. To do this, include the single-connection statement. Early versions of the TACACS+ server do not support a single TCP connection. If the single-connection statement is configured and the server does not support it, the JUNOS software will be unable to communicate with that TACACS+ server.

To configure multiple TACACS+ servers, include multiple tacplus-server statements.

The TACACS+ attributes listed in Table 4.14 are specific to Juniper Networks. They are specified in the TACACS+ server configuration file on a per-user basis. The JUNOS software retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. These attributes do not need to be configured to run JUNOS software with TACACS+. To configure these attributes, include a service statement in the TACACS+ server configuration file of the following form in a user or group statement:

 service = junos-exec {     local-user-name = <username-local-to-router>     allow-commands = "<allow-commands-regexp>"     deny-commands = "<deny-commands-regexp>" }

Table 4.14. Juniper Networks-Specific TACACS+ Attributes

Name	Description	Length	String
`local-user-name`	Indicates the name of the user template used by this user when logging into a device.	3	One or more octets containing printable ASCII characters.
`allow-commands`	Contains an extended regular expression that allows the user to run commands in addition to those commands authorized by the user's login class permission bits.	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.
`deny-commands`	Contains an extended regular expression that denies the user permission to run commands authorized by the user's login class permission bits.	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.

Creating Template Accounts for RADIUS and TACACS+ Authentication

When local password authentication is used, a local user account must be created for every user who wants to access the system. However, when using RADIUS or TACACS+ authentication, single accounts can be created (for authorization purposes) that are shared by a set of users. These accounts are created using the remote and local user template accounts. When a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account.

By default, the JUNOS software uses the remote template account when the authenticated user does not exist locally on the router, the authenticated user's record in the authentication server specifies local user, or local user is specified as a user that does not exist locally on the router.

To configure a remote template account, include the username remote and specify the privileges you want to provide to these remote users:

 [edit system login]  user remote {   full-name "All remote users";   uid  uid-value  ;   class  class-name  ; }

To configure different access privileges for users who share the remote template account, include the allow-commands and deny-commands commands on the authentication server configuration file.

Local User Template Accounts

Local user template accounts are used when different types of templates are needed. Each template can define a different set of permissions appropriate for the group of users who use that template. These templates are defined locally on the router and referenced by the TACACS+ and RADIUS authentication servers.

When local user templates are configured and a user logs in, the JUNOS software issues a request to the authentication server to authenticate the user's login name. If a user is authenticated, the server returns the local username to the JUNOS software, which then determines whether a local username is specified for that login name (local-username for TACACS+, Juniper-Local-User for RADIUS). If so, the JUNOS software selects the appropriate local user template locally configured on the router. If a local user template does not exist for the authenticated user, the router defaults to the remote template.

To configure different access privileges for users who share the local user template account, include the allow-commands and deny-commands commands in the authentication server configuration file.

To configure the local user template, include the local username and specify the privileges to provide to these local users:

 [edit system login]  user  local-user-name  {   full-name "local user account";   uid  uid-value  ;   class  class-name  ; }

Configuring the Authentication Order

If the router is configured to be both a RADIUS and TACACS+ client (by including the radius-server and tacplus-server statements), the order in which the software tries the different authentication methods when verifying that a user can access the router can be configured. For each login attempt, the JUNOS software tries the authentication methods in order, starting with the first one, until the password matches.

To configure the authentication order, include the authentication-order statement:

 [edit system]  authentication-order [  authentication-methods  ];

Specify one or more of the following in the preferred order, from first tried to last tried:

radius ” Verify the user using RADIUS authentication services.
tacplus ” Verify the user using TACACS+ authentication services.
password ” Verify the user using the password configured for the user with the authentication statement.

If the authentication-order statement is not included, users are verified based on their configured passwords.

Configuring Time

The default local time zone on the router is UTC (Coordinated Universal Time, formerly known as Greenwich Mean Time). To modify the local time zone, include the time-zone statement:

For information about available time zones, see the JUNOS Internet software technical documentation.

 [edit system]  time-zone  time-zone  ;

Specify the time-zone using the continent /country/zone primary name. For the time zone change to take effect for all processes running on the router, the router must be rebooted.

Configuring the Network Time Protocol

The Network Time Protocol (NTP) provides mechanisms to synchronize time and coordinate time distribution in a large, diverse network. NTP uses a returnable-time design in which a distributed subnet of time servers operating in a self-organizing , hierarchical master-slave configuration synchronizes local clocks within the subnet and to national time standards by means of wire or radio. The servers also can redistribute reference time using local routing algorithms and time daemons.

NTP is defined in RFC 1305, Network Time Protocol (Version 3) Specification, Implementation, and Analysis .

To configure NTP on the router, include the ntp statement:

 [edit system]  ntp {   authentication-key  number  type  type  value  password  ;   boot-server  address  ;   broadcast <  address  > <key  key-number  > <version  value  > <ttl  value  >;   broadcast-client;   multicast-client <  address  >;   peer  address  <key  key-number  > <version  value  > <prefer>;   server  address  <key  key-number  > <version  value  > <prefer>;   trusted-key [  key-numbers  ]; }

When configuring NTP, time servers are not actively configured. Rather, all clients also act as servers. An NTP server is not believed unless it, in turn , is synchronized to another NTP server ”which itself must be synchronized to something upstream, eventually terminating in a high-precision clock.

If the time difference between the local router clock and the NTP server clock is more than 128 milliseconds , but less than 128 seconds, the clocks are slowly stepped into synchronization. However, if the difference is more than 128 seconds, the clocks are not synchronized. The time must be set on the local router so that the difference is less than 128 seconds to start the synchronization process. On the local router, the date and time must be set using the set date command. To set the time automatically, include the boot-server statement.

When the router is booted , it issues an ntpdate request, which polls a network server to determine the local date and time. A server that the router uses to determine the time when the router boots must be specified. Otherwise, NTP is not able to synchronize to a time server if the server's time appears to be very far off the local router's time.

To configure the NTP boot server, include the boot-server statement, specifying the address of an NTP server. Do not specify a hostname.

 [edit system ntp]  boot-server  address  ;

For NTP, the system on the network that acts as the authoritative time source (or time server) and how time is synchronized between systems on the network can be configured. To do this, the router is configured to operate in one of the following modes:

Client mode ”In this mode, the local router can be synchronized to the remote system, but the remote system can never be synchronized to the local router.
Symmetric active mode ”In this mode, the local router and the remote system can synchronize each other. This mode is used in a network in which either the local router or the remote system might be a better source of time.
Broadcast mode ”In this mode, the local router sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, this mode is used only when the local router is operating as a transmitter.

Symmetric active mode can be initiated by either the local or remote system. Only one system needs to be configured to do so. This means that the local system can synchronize to any system that offers symmetric active mode without any configuration whatsoever.

NOTE

Juniper Networks strongly recommends configuring authentication to ensure that the local system synchronizes only to known time servers.

Configure the Router to Operate in Client Mode

To configure the local router to operate in client mode, include the server statement:

 [edit system ntp]  server  address  <key  key-number >  <version  value  > <prefer>;

Specify the address of the system acting as the time server. An address, not a hostname, must be specified.

To include an authentication key in all messages sent to the time server, include the key option. The key corresponds to the key number specified in the authentication-key statement as described in "Configuring NTP Authentication Keys" on page 141.

By default, the router sends NTP version 3 packets to the time server. To set the NTP version level to 1 or 2, include the version option.

If more than one time server is configured, one server can be marked as being preferred by including the prefer option.

Configure the Router to Operate in Symmetric Active Mode

To configure the local router to operate in symmetric active mode, include the peer statement:

 [edit system ntp]  peer  address  <key  key-number  > <version  value  > <prefer>;

Specify the address of the remote system. An address must be specified, not a hostname.

To include an authentication key in all messages sent to the remote system, include the key option. The key corresponds to the key number specified in the authentication-key statement as described in the section "Configuring NTP Authentication Keys" on page 141.

By default, the router sends NTP version 3 packets to the remote system. To set the NTP version level to 1 or 2, include the version option.

If more than one remote system is configured, include the prefer option to mark one system as being preferred.

Configure the Router to Operate in Broadcast Mode

To configure the local router to operate in broadcast mode, include the broadcast statement:

 [edit system ntp]  broadcast  address  <key  key-number  > <version  value  > <ttl  value  >;

Specify the broadcast address on one of the local networks or a multicast address assigned to NTP. An address must be specified, not a hostname. The multicast address must be 224.0.1.1 .

By default, the router sends NTP version 3 packets to the remote system. To set the NTP version level to 1 or 2, include the version option.

Configuring NTP Authentication Keys

Time synchronization can be authenticated to ensure that the local router obtains its time services only from known sources. By default, network time synchronization is unauthenticated. The router synchronizes to whatever system appears to have the most accurate time. Juniper Networks strongly recommends configuring authentication of network time services.

To authenticate other time servers, include the trusted-key statement. Only time servers transmitting network time packets that contain one of the specified key numbers and whose key matches the value configured for that key number are eligible to be synchronized to. Other systems can synchronize to the local router without being authenticated.

 [edit system ntp]  trusted-key [  key-numbers  ];

Each key can be any 32-bit unsigned integer except 0. Include the key option in the peer , server , or broadcast statements to transmit the specified authentication key when transmitting packets. The key is necessary if the remote system has authentication enabled so that it can synchronize to the local system.

To define the authentication keys, include the authentication-key statement:

 [edit system ntp]  authentication-key  key-number  type  type  value  password  ;

number is the key number, type is the authentication type (either MD5 or DES), and password is the password for this key. The key number, type, and password must match on all systems using that particular key for authentication.

Configuring the Router to Listen for Broadcast Messages

When NTP is being used, the local router can be configured to listen for broadcast messages on the local network to discover other servers on the same subnet by including the broadcast-client statement:

 [edit system ntp]  broadcast-client;

When the router hears a broadcast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. Then, it enters broadcast client mode, in which it listens for, and synchronizes to, succeeding broadcast messages.

To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.

Configuring the Router to Listen for Multicast Messages

When using NTP, the local router can be configured to listen for multicast messages on the local network to discover other servers on the same subnet by including the multicast-client :

 [edit system ntp]  multicast-client <  address  >;

When the router hears a multicast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. Then, it enters multicast client mode, in which it listens for, and synchronizes to, succeeding multicast messages.

One or more IP addresses can be specified. An address must be specified, not a hostname. If an address is specified, the router joins those multicast groups. If no address is specified, the software uses 224.0.1.1 .

To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.