Service-Type attribute. If the RADIUS Service-Type attribute is included in the RADIUS
Access-Accept message, the standard attribute overrides any VSA setting.
If you are using the RADIUS Service-Type attribute to assign access levels, the system
sets the Initial-Auth-Level as follows:
•
If the Service-Type attribute is set to administrative, then the Initial-Auth-Level is set
to 10.
•
If the Service-Type attribute is set to nas prompt or login, the Initial-Auth-Level is set
to 1.
Per-User Enable Authentication
After a user has been authenticated through RADIUS, the RADIUS server provides the
E Series router with the names of the privilege levels (for example, 10 ) that the user has
enable
access to. When the user attempts to access a privilege level through the
enable
command, the system either denies or approves the user’s request.
The decision to deny or approve the user’s request is based on the list the system received
through RADIUS. See Table 47 on page 432.
Table 47: Juniper Networks–Specific CLI Access VSA Descriptions
Value
Subtype
Length
Subtype
Length
Type
Description
VSA
Single
attribute; enter
only: 0, 1, 5, 10,
or 15
sublen
18
len
26
Specifies the
initial level of
access to CLI
commands.
Initial-CLI-
Access-Level
Single
attribute; enter
only: 0, 1, 5, 10,
or 15
sublen
20
len
26
Specifies level of
access to CLI
commands.
Alt-CLI-
Access-Level
NOTE:
All levels to which a user can have access must explicitly be specified
in the Admin-Auth-Set VSA.
The user is not prompted for a password, because the system knows whether or not the
user should have access to the requested level. If the user is not authenticated through
RADIUS, the router uses the system-wide
enable
passwords instead.
Restricting Access to Virtual Routers
You can use RADIUS authentication to specify whether users can access all virtual routers
(VRs), one specific VR, or a set of specific VRs.
Copyright © 2010, Juniper Networks, Inc.
432
JunosE 11.3.x System Basics Configuration Guide
Summary of Contents for JUNOSE 11.3
Page 6: ...Copyright 2010 Juniper Networks Inc vi...
Page 8: ...Copyright 2010 Juniper Networks Inc viii JunosE 11 3 x System Basics Configuration Guide...
Page 24: ...Copyright 2010 Juniper Networks Inc xxiv JunosE 11 3 x System Basics Configuration Guide...
Page 32: ...Copyright 2010 Juniper Networks Inc 2 JunosE 11 3 x System Basics Configuration Guide...
Page 146: ...Copyright 2010 Juniper Networks Inc 116 JunosE 11 3 x System Basics Configuration Guide...
Page 166: ...Copyright 2010 Juniper Networks Inc 136 JunosE 11 3 x System Basics Configuration Guide...
Page 432: ...Copyright 2010 Juniper Networks Inc 402 JunosE 11 3 x System Basics Configuration Guide...
Page 488: ...Copyright 2010 Juniper Networks Inc 458 JunosE 11 3 x System Basics Configuration Guide...
Page 524: ...Copyright 2010 Juniper Networks Inc 494 JunosE 11 3 x System Basics Configuration Guide...
Page 554: ...Copyright 2010 Juniper Networks Inc 524 JunosE 11 3 x System Basics Configuration Guide...
Page 566: ...Copyright 2010 Juniper Networks Inc 536 JunosE 11 3 x System Basics Configuration Guide...
Page 588: ...Copyright 2010 Juniper Networks Inc 558 JunosE 11 3 x System Basics Configuration Guide...
Page 613: ...PART 3 Index Index on page 585 583 Copyright 2010 Juniper Networks Inc...
Page 614: ...Copyright 2010 Juniper Networks Inc 584 JunosE 11 3 x System Basics Configuration Guide...
Page 632: ...Copyright 2010 Juniper Networks Inc 602 JunosE 11 3 x System Basics Configuration Guide...