Table of Contents
Advertisement
If you are using the RADIUS Service-Type attribute to assign access levels, the system
sets the Initial-Auth-Level as follows:
Per-User Enable Authentication
After a user has been authenticated through RADIUS, the RADIUS server provides
the E Series router with the names of the privilege levels (for example, 10 ) that the
user has enable access to. When the user attempts to access a privilege level through
the enable command, the system either denies or approves the user's request.
The decision to deny or approve the user's request is based on the list the system
received through RADIUS. See Table 47 on page 447.
Table 47: Juniper Networks–Specific CLI Access VSA Descriptions
NOTE: All levels to which a user can have access must explicitly be specified in the
Admin-Auth-Set VSA.
The user is not prompted for a password, because the system knows whether or not
the user should have access to the requested level. If the user is not authenticated
through RADIUS, the router uses the system-wide enable passwords instead.
Restricting Access to Virtual Routers
You can use RADIUS authentication to specify whether users can access all virtual
routers (VRs), one specific VR, or a set of specific VRs.
NOTE: This classification is independent of the command access levels configurable
through the Initial-CLI-Access-Level VSA.
If the Service-Type attribute is set to administrative, then the Initial-Auth-Level
is set to 10.
If the Service-Type attribute is set to nas prompt or login, the Initial-Auth-Level
is set to 1.
VSA
Description
Initial-CLI-
Specifies the initial
Access-Level
level of access to
CLI commands.
Alt-CLI-
Specifies level of
Access-Level
access to CLI
commands.
Chapter 7: Passwords and Security
Subtype
Type
Length
Subtype
Length
26
len
18
sublen
26
len
20
sublen
Restricting User Access
Value
Single attribute;
enter only: 0, 1,
5, 10, or 15
Single attribute;
enter only: 0, 1,
5, 10, or 15
447
Advertisement
Table of Contents
Troubleshooting
