Creating a Group Login Account

Problem

You want to use a RADIUS or TACACS+ database to authenticate a group of users who perform similar job functions and tasks on the router, instead of setting up individual login accounts for them on the router.

Solution

Create a group account on the router to allow multiple users to be authenticated by the same RADIUS or TACACS+ server account:

	[edit system login]
	aviva@router1#  
set user noc class operator
	aviva@router1# set user noc full-name "NOC team"

Then set the authentication order so that the remote server is checked before the router's configuration file. The following command uses TACACS+:

	[edit system]
	aviva@router1# set authentication-order [ tacacs password ]

Finally, map the users on the server to the account name configured on the router. The following is the map on a TACACS+ server:

	user = mike {
	 service = junos-exec {
	 local-user-name = noc
	 }
	}
	user = sage {
	 service = junos-exec {
	 local-user-name = noc
	 }
	}

 

Discussion

When you want a group of users to be able to log in to and work on the router but always want to use a central authentication server, you can set up a common account instead of creating login accounts on the router for these users. Then in the RADIUS or TACACS+ database, you map the username to the common account name.

The first command in this recipe creates the group account noc that has operator privileges and can perform most operational commands but cannot enter configuration mode. This second command, set user remote full-name, provides a description of the account. This command is optional but is suggested so that the meaning of the account is clear. The third command sets TACACS+ as the primary authentication method.

The TACACS+ database in this recipe has two usernames, mike and sage. When these two users try to log in to the router using their regular login names mike and sage, the login request is authenticated by the TACACS+ server, which sees that their local username (their login account name on the router) is noc. The server returns this information to the router, which logs them in using the noc account and gives them operator privileges.

Users who are authenticated only by a group account will not be able to log in to the router if the authentication server is down. You should always configure some individual user accounts with passwords on the router so someone can always log in to the router (see Recipe 2.5).

See Also

Recipes 2.4, 2.5, 2.10, and 2.13


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net