JunosE 11.3.x System Basics Configuration Guide
Per-User Enable Authentication
Restricting Access to Virtual Routers
432
Service-Type attribute. If the RADIUS Service-Type attribute is included in the RADIUS
Access-Accept message, the standard attribute overrides any VSA setting.
If you are using the RADIUS Service-Type attribute to assign access levels, the system
sets the Initial-Auth-Level as follows:
If the Service-Type attribute is set to administrative, then the Initial-Auth-Level is set
to 10.
If the Service-Type attribute is set to nas prompt or login, the Initial-Auth-Level is set
to 1.
After a user has been authenticated through RADIUS, the RADIUS server provides the
E Series router with the names of the privilege levels (for example, 10 ) that the user has
enable access to. When the user attempts to access a privilege level through the enable
command, the system either denies or approves the user's request.
The decision to deny or approve the user's request is based on the list the system received
through RADIUS. See Table 47 on page 432.
Table 47: Juniper Networks–Specific CLI Access VSA Descriptions
VSA
Description
Initial-CLI-
Specifies the
Access-Level
initial level of
access to CLI
commands.
Alt-CLI-
Specifies level of
Access-Level
access to CLI
commands.
NOTE: All levels to which a user can have access must explicitly be specified
in the Admin-Auth-Set VSA.
The user is not prompted for a password, because the system knows whether or not the
user should have access to the requested level. If the user is not authenticated through
RADIUS, the router uses the system-wide enable passwords instead.
You can use RADIUS authentication to specify whether users can access all virtual routers
(VRs), one specific VR, or a set of specific VRs.
Type
Length
Subtype
26
len
18
26
len
20
Copyright © 2010, Juniper Networks, Inc.
Subtype
Length
Value
sublen
Single
attribute; enter
only: 0, 1, 5, 10,
or 15
sublen
Single
attribute; enter
only: 0, 1, 5, 10,
or 15