Juniper Networks J Series Users Manual
J-SERIES to the manual 6a9c6a9c-ef09-4782-a1d8-d6febfc7af07
2015-02-09
: Juniper-Networks Juniper-Networks-J-Series-Users-Manual-567095 juniper-networks-j-series-users-manual-567095 juniper-networks pdf
Open the PDF directly: View PDF .
Page Count: 332
J-series™ Services Router
Administration Guide
Release 9.1
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-023932-01, Revision 1
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue
Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public
domain.
This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software
included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988,
1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by
Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol.
Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the
University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.
Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service
marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
J-series™ Services Router Administration Guide
Release 9.1
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
April 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year
2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the
extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you
indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which
you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license
is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks Web
site at www.juniper.net/techpubs.
ii
■
End User License Agreement
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are Juniper Networks, Inc. and its subsidiaries (collectively “Juniper”), and the person or organization that
originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, and updates and
releases of such software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller. “Embedded
Software” means Software which Juniper has embedded in the Juniper equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use the Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from
Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius software on multiple computers requires multiple licenses, regardless of whether such computers are physically contained on a single
chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use the Embedded Software on non-Juniper equipment; (j) use the Software (or make it available for use) on Juniper equipment that the Customer
did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third
party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.
■
iii
7. Ownership. Juniper and Juniper's licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.
10. Taxes. All license fees for the Software are exclusive of taxes, withholdings, duties, or levies (collectively “Taxes”). Customer shall be responsible for
paying Taxes arising from the purchase of the license, or importation or use of the Software.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of
the LGPL at http://www.gnu.org/licenses/lgpl.html.
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
iv
■
Abbreviated Table of Contents
About This Guide
Part 1
Configuring a Services Router for Administration
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Part 2
Managing User Authentication and Access
Setting Up USB Modems for Remote Management
Configuring SNMP for Network Management
Configuring the Router as a DHCP Server
Configuring Autoinstallation
Automating Network Operations and Troubleshooting
3
29
47
63
81
89
Monitoring a Services Router
Chapter 7
Chapter 8
Chapter 9
Part 3
Monitoring the Router and Routing Operations
Monitoring Events and Managing System Log Files
Configuring and Monitoring Alarms
101
155
165
Managing Services Router Software
Chapter 10
Chapter 11
Part 4
Performing Software Upgrades and Reboots
Managing Files
179
199
Diagnosing Performance and Network Problems
Chapter 12
Chapter 13
Chapter 14
Part 5
xv
Using Services Router Diagnostic Tools
Configuring Packet Capture
Configuring RPM Probes
209
253
267
Index
Index
291
Abbreviated Table of Contents
■
v
J-series™ Services Router Administration Guide
vi
■
Table of Contents
About This Guide
xv
Objectives ......................................................................................................xv
Audience .......................................................................................................xv
How to Use This Guide .................................................................................xvi
Document Conventions ...............................................................................xvii
Related Juniper Networks Documentation ..................................................xviii
Documentation Feedback .............................................................................xxi
Requesting Technical Support ......................................................................xxi
Part 1
Configuring a Services Router for Administration
Chapter 1
Managing User Authentication and Access
3
User Authentication Terms ..............................................................................3
User Authentication Overview .........................................................................4
User Authentication ..................................................................................4
User Accounts ...........................................................................................4
Login Classes ............................................................................................5
Permission Bits ...................................................................................5
Denying or Allowing Individual Commands .......................................7
Template Accounts ...................................................................................7
Before You Begin .............................................................................................8
Managing User Authentication with Quick Configuration ................................8
Adding a RADIUS Server for Authentication ..............................................8
Adding a TACACS+ Server for Authentication ..........................................9
Configuring System Authentication .........................................................10
Adding New Users ..................................................................................11
Managing User Authentication with a Configuration Editor ...........................12
Setting Up RADIUS Authentication ..........................................................12
Setting Up TACACS+ Authentication ......................................................13
Configuring Authentication Order ...........................................................15
Controlling User Access ..........................................................................16
Defining Login Classes ......................................................................16
Creating User Accounts ....................................................................17
Setting Up Template Accounts ................................................................18
Creating a Remote Template Account ..............................................19
Creating a Local Template Account ..................................................20
Recovering the Root Password ......................................................................21
Securing the Console Port .............................................................................23
Table of Contents
■
vii
J-series™ Services Router Administration Guide
Accessing Remote Devices with the CLI ........................................................24
Using the telnet Command .....................................................................24
Using the ssh Command .........................................................................25
Configuring Password Retry Limits for Telnet and SSH Access ......................26
Chapter 2
Setting Up USB Modems for Remote Management
29
USB Modem Terms .......................................................................................29
USB Modem Overview ..................................................................................30
USB Modem Interfaces ...........................................................................30
How a Services Router Initializes USB Modems ......................................31
USB Modem Connection and Configuration Overview ............................32
Before You Begin ...........................................................................................33
Connecting the USB Modem to the Services Router's USB Port .....................33
Configuring USB Modem Interfaces with a Configuration Editor ....................33
Configuring a USB Modem Interface (Required) ......................................33
Configuring a Dialer Interface (Required) ................................................35
Configuring Dial-In (Required) ................................................................36
Configuring CHAP on Dialer Interfaces (Optional) ...................................37
Connecting to the Services Router from the User End ...................................39
Configuring a Dial-Up Modem Connection at the User End .....................39
Connecting to the Services Router from the User End .............................40
Administering USB Modems ..........................................................................40
Modifying USB Modem Initialization Commands ....................................41
Resetting USB Modems ...........................................................................42
Verifying the USB Modem Configuration .......................................................42
Verifying a USB Modem Interface ...........................................................43
Verifying Dialer Interface Configuration ..................................................44
Chapter 3
Configuring SNMP for Network Management
47
SNMP Architecture ........................................................................................47
Management Information Base ...............................................................48
SNMP Communities ................................................................................48
SNMP Traps ............................................................................................49
Spoofing SNMP Traps .............................................................................49
SNMP Health Monitor .............................................................................49
Before You Begin ...........................................................................................50
Configuring SNMP with Quick Configuration .................................................50
Configuring SNMP with a Configuration Editor ..............................................54
Defining System Identification Information (Required) ...........................54
Configuring SNMP Agents and Communities (Required) .........................55
Managing SNMP Trap Groups (Required) ................................................56
Controlling Access to MIBs (Optional) .....................................................57
Verifying the SNMP Configuration .................................................................58
Verifying SNMP Agent Configuration ......................................................58
Verifying SNMP Health Monitor Configuration ........................................59
viii
■
Table of Contents
Table of Contents
Chapter 4
Configuring the Router as a DHCP Server
63
DHCP Terms .................................................................................................63
DHCP Overview ............................................................................................64
DHCP Options ........................................................................................65
Compatibility with Autoinstallation .........................................................65
Conflict Detection and Resolution ...........................................................65
Interface Restrictions ..............................................................................65
Before You Begin ...........................................................................................66
Configuring the DHCP Server with Quick Configuration ................................66
Configuring the DHCP Server with a Configuration Editor .............................72
Verifying a DHCP Server Configuration .........................................................75
Displaying a DHCP Server Configuration ................................................75
Verifying the DHCP Binding Database ....................................................76
Verifying DHCP Server Operation ...........................................................77
Displaying DHCP Statistics ......................................................................79
Chapter 5
Configuring Autoinstallation
81
Autoinstallation Terms ..................................................................................81
Autoinstallation Overview .............................................................................82
Supported Autoinstallation Interfaces and Protocols ...............................82
Typical Autoinstallation Process on a New Services Router .....................83
Before You Begin ...........................................................................................84
Configuring Autoinstallation with a Configuration Editor ...............................85
Verifying Autoinstallation ..............................................................................86
Verifying Autoinstallation Status .............................................................86
Chapter 6
Automating Network Operations and Troubleshooting
89
Defining and Enforcing Configuration Rules with Commit Scripts .................89
Commit Script Overview .........................................................................89
Enabling Commit Scripts ........................................................................90
Disabling Commit Scripts ........................................................................91
Automating Network Management and Troubleshooting with Operation
Scripts .....................................................................................................92
Operation Script Overview ......................................................................92
Enabling Operation Scripts .....................................................................93
Executing Operation Scripts ....................................................................93
Disabling Operation Scripts ....................................................................94
Running Self-Diagnostics with Event Policies .................................................94
Event Policy Overview ............................................................................95
Configuring Event Policies ......................................................................95
Table of Contents
■
ix
J-series™ Services Router Administration Guide
Part 2
Monitoring a Services Router
Chapter 7
Monitoring the Router and Routing Operations
101
Monitoring Terms ........................................................................................101
Monitoring Overview ...................................................................................101
Monitoring Tools Overview ...................................................................102
Filtering Command Output ...................................................................105
Before You Begin .........................................................................................106
Using the Monitoring Tools ..........................................................................107
Monitoring System Properties ...............................................................107
Monitoring System Process Information .........................................110
Monitoring the Chassis ..........................................................................111
Monitoring the Interfaces ......................................................................113
Monitoring Routing Information ...........................................................115
Monitoring Route Information ........................................................116
Monitoring BGP Routing Information .............................................117
Monitoring OSPF Routing Information ...........................................119
Monitoring RIP Routing Information ..............................................120
Monitoring DLSw Routing Information ...........................................121
Monitoring Class-of-Service Performance ..............................................123
Monitoring CoS Interfaces ..............................................................123
Monitoring CoS Classifiers ..............................................................124
Monitoring CoS Value Aliases .........................................................125
Monitoring CoS RED Drop Profiles .................................................126
Monitoring CoS Forwarding Classes ...............................................127
Monitoring CoS Rewrite Rules ........................................................128
Monitoring CoS Scheduler Maps .....................................................129
Monitoring MPLS Traffic Engineering Information ................................130
Monitoring MPLS Interfaces ............................................................131
Monitoring MPLS LSP Information ..................................................131
Monitoring MPLS LSP Statistics ......................................................132
Monitoring RSVP Session Information ............................................133
Monitoring MPLS RSVP Interfaces Information ...............................134
Monitoring Service Sets ........................................................................135
Monitoring Firewalls .............................................................................136
Monitoring Stateful Firewall Statistics .............................................137
Monitoring Stateful Firewall Filters .................................................138
Monitoring Firewall Intrusion Detection Services (IDS) ...................139
Monitoring IPSec Tunnels .....................................................................140
Monitoring NAT Pools ...........................................................................142
Monitoring DHCP ..................................................................................143
Monitoring RPM Probes ........................................................................145
Monitoring PPP .....................................................................................147
Monitoring PPPoE .................................................................................148
Monitoring the TGM550 Media Gateway (VoIP) .....................................151
x
■
Table of Contents
Table of Contents
Chapter 8
Monitoring Events and Managing System Log Files
155
System Log Message Terms .........................................................................155
System Log Messages Overview ..................................................................156
System Log Message Destinations .........................................................157
System Log Facilities and Severity Levels ..............................................157
Regular Expressions ..............................................................................158
Before You Begin .........................................................................................159
Configuring System Log Messages with a Configuration Editor ....................160
Sending System Log Messages to a File ................................................160
Sending System Log Messages to a User Terminal ................................161
Archiving System Logs ..........................................................................161
Disabling System Logs ..........................................................................162
Monitoring System Log Messages with the J-Web Event Viewer ..................162
Filtering System Log Messages ..............................................................162
Viewing System Log Messages ..............................................................164
Chapter 9
Configuring and Monitoring Alarms
165
Alarm Terms ...............................................................................................165
Alarm Overview ..........................................................................................166
Alarm Types .........................................................................................166
Alarm Severity ......................................................................................167
Alarm Conditions ..................................................................................167
Interface Alarm Conditions .............................................................167
Chassis Alarm Conditions and Corrective Actions ...........................170
System Alarm Conditions and Corrective Actions ...........................172
Before You Begin .........................................................................................172
Configuring Alarms with a Configuration Editor ..........................................172
Checking Active Alarms ...............................................................................174
Verifying the Alarms Configuration .............................................................175
Displaying Alarm Configurations ...........................................................175
Part 3
Managing Services Router Software
Chapter 10
Performing Software Upgrades and Reboots
179
Upgrade and Downgrade Overview .............................................................179
Upgrade Software Packages ..................................................................180
Recovery Software Packages .................................................................180
Before You Begin .........................................................................................181
Downloading Software Upgrades from Juniper Networks ............................181
Installing Software Upgrades with the J-Web Interface ................................182
Installing Software Upgrades from a Remote Server .............................182
Installing Software Upgrades by Uploading Files ...................................183
Installing Software Upgrades with the CLI ...................................................184
Table of Contents
■
xi
J-series™ Services Router Administration Guide
Downgrading the Software ..........................................................................185
Downgrading the Software with the J-Web Interface .............................185
Downgrading the Software with the CLI ................................................185
Configuring Boot Devices ............................................................................186
Configuring a Boot Device for Backup with the J-Web Interface ............186
Configuring a Boot Device for Backup with the CLI ...............................189
Configuring a Boot Device to Receive Software Failure Memory
Snapshots .......................................................................................190
Recovering Primary Boot Devices ...............................................................191
Why Compact Flash Recovery Might Be Necessary ...............................191
Recommended Recovery Hardware and Software ................................192
Configuring Internal Compact Flash Recovery ......................................192
Rebooting or Halting a Services Router .......................................................194
Rebooting or Halting a Services Router with the J-Web Interface ..........194
Rebooting a Services Router with the CLI .............................................195
Halting a Services Router with the CLI ..................................................196
Chapter 11
Managing Files
199
Before You Begin .........................................................................................199
Managing Files with the J-Web Interface ......................................................199
Cleaning Up Files ..................................................................................199
Downloading Files ................................................................................200
Deleting the Backup Software Image ...........................................................201
Cleaning Up Files with the CLI .....................................................................201
Managing Accounting Files ..........................................................................202
Encrypting and Decrypting Configuration Files ...........................................203
Encrypting Configuration Files ..............................................................204
Decrypting Configuration Files ..............................................................205
Modifying the Encryption Key ..............................................................205
Part 4
Diagnosing Performance and Network Problems
Chapter 12
Using Services Router Diagnostic Tools
209
Diagnostic Terms ........................................................................................209
Diagnostic Tools Overview ..........................................................................210
J-Web Diagnostic Tools Overview .........................................................210
CLI Diagnostic Commands Overview ....................................................211
MPLS Connection Checking ..................................................................213
Before You Begin .........................................................................................215
General Preparation ..............................................................................215
Ping MPLS Preparation .........................................................................215
MPLS Enabled ................................................................................215
Loopback Address ..........................................................................215
Source Address for Probes ..............................................................215
xii
■
Table of Contents
Table of Contents
Pinging Hosts from the J-Web Interface .......................................................216
Using the J-Web Ping Host Tool ............................................................216
Ping Host Results and Output Summary ...............................................218
Checking MPLS Connections from the J-Web Interface ................................219
Using the J-Web Ping MPLS Tool ...........................................................219
Ping MPLS Results and Output ..............................................................222
Tracing Unicast Routes from the J-Web Interface ........................................223
Using the J-Web Traceroute Tool ...........................................................223
Traceroute Results and Output Summary .............................................225
Capturing and Viewing Packets with the J-Web Interface ............................226
Using J-Web Packet Capture ..................................................................226
Packet Capture Results and Output Summary .......................................229
Using CLI Diagnostic Commands ................................................................230
Pinging Hosts from the CLI ...................................................................230
Checking MPLS Connections from the CLI ............................................232
Pinging RSVP-Signaled LSPs and LDP-Signaled LSPs ......................233
Pinging Layer 3 VPNs .....................................................................234
Pinging Layer 2 VPNs .....................................................................235
Pinging Layer 2 Circuits ..................................................................236
Tracing Unicast Routes from the CLI .....................................................237
Using the traceroute Command ......................................................237
Using the traceroute monitor Command ........................................238
Tracing Multicast Routes from the CLI ..................................................240
Using the mtrace from-source Command .......................................241
Using the mtrace monitor Command .............................................243
Displaying Log and Trace Files from the CLI .........................................244
Monitoring Interfaces and Traffic from the CLI .....................................245
Using the monitor interface Command ..........................................245
Using the monitor traffic Command ...............................................246
Chapter 13
Configuring Packet Capture
253
Packet Capture Terms .................................................................................253
Packet Capture Overview ............................................................................254
Packet Capture on Router Interfaces .....................................................255
Firewall Filters for Packet Capture ........................................................255
Packet Capture Files .............................................................................256
Analysis of Packet Capture Files ............................................................256
Before You Begin .........................................................................................257
Configuring Packet Capture with a Configuration Editor ..............................257
Enabling Packet Capture (Required) ......................................................257
Configuring Packet Capture on an Interface (Required) .........................259
Configuring a Firewall Filter for Packet Capture (Optional) ...................259
Disabling Packet Capture ......................................................................261
Deleting Packet Capture Files ................................................................261
Changing Encapsulation on Interfaces with Packet Capture Configured ......262
Verifying Packet Capture .............................................................................263
Displaying a Packet Capture Configuration ...........................................263
Displaying a Firewall Filter for Packet Capture Configuration ................264
Verifying Captured Packets ...................................................................264
Table of Contents
■
xiii
J-series™ Services Router Administration Guide
Chapter 14
Configuring RPM Probes
267
RPM Terms .................................................................................................267
RPM Overview ............................................................................................268
RPM Probes ..........................................................................................268
RPM Tests .............................................................................................269
Probe and Test Intervals .......................................................................269
Jitter Measurement with Hardware Timestamping ................................269
RPM Statistics .......................................................................................270
RPM Thresholds and Traps ...................................................................271
RPM for BGP Monitoring .......................................................................271
Before You Begin .........................................................................................271
Configuring RPM with Quick Configuration .................................................271
Configuring RPM with a Configuration Editor ..............................................276
Configuring Basic RPM Probes ..............................................................276
Configuring TCP and UDP Probes .........................................................279
Tuning RPM Probes ..............................................................................282
Configuring RPM Probes to Monitor BGP Neighbors .............................283
Configuring RPM Probes for BGP Monitoring ..................................283
Directing RPM Probes to Select BGP Routers ..................................285
Verifying an RPM Configuration ..................................................................285
Verifying RPM Services .........................................................................286
Verifying RPM Statistics ........................................................................286
Verifying RPM Probe Servers ................................................................288
Part 5
Index
Index ...........................................................................................................291
xiv
■
Table of Contents
About This Guide
This preface provides the following guidelines for using the J-series™ Services Router
Administration Guide:
■
Objectives on page xv
■
Audience on page xv
■
How to Use This Guide on page xvi
■
Document Conventions on page xvii
■
Related Juniper Networks Documentation on page xviii
■
Documentation Feedback on page xxi
■
Requesting Technical Support on page xxi
Objectives
This guide contains instructions for managing users and operations, monitoring
network performance, upgrading software, and diagnosing common problems on
J-series Services Routers.
J-series Services Router operations are controlled by the JUNOS software. You direct
the JUNOS software through either a Web browser or a command-line interface (CLI).
NOTE: This guide documents Release 9.1 of the JUNOS software. For additional
information about J-series Services Routers—either corrections to or omissions from
this guide—see the J-series Services Router Release Notes at http://www.juniper.net.
Audience
This guide is designed for anyone who installs and sets up a J-series Services Router
or prepares a site for Services Router installation. The guide is intended for the
following audiences:
■
Customers with technical knowledge of and experience with networks and the
Internet
■
Network administrators who install, configure, and manage Internet routers but
are unfamiliar with the JUNOS software
■
Network administrators who install, configure, and manage products of Juniper
Networks
Objectives
■
xv
J-series™ Services Router Administration Guide
Personnel operating the equipment must be trained and competent; must not conduct
themselves in a careless, willfully negligent, or hostile manner; and must abide by
the instructions provided by the documentation.
How to Use This Guide
J-series documentation explains how to install, configure, and manage J-series routers
by providing information about JUNOS implementation specifically on J-series routers.
(For comprehensive JUNOS information, see the JUNOS software manuals listed in
“Related Juniper Networks Documentation” on page xviii.) Table 1 on page xvi shows
the location of J-series information, by task type, in Juniper Networks documentation.
Table 1: Location of J-series Information
J-series Tasks
Location of Instruction
Installing hardware and establishing basic connectivity
Getting Started Guide for your router
Configuring interfaces and routing protocols such as RIP, OSPF, BGP,
and IS-IS
J-series Services Router Basic LAN and WAN Access
Configuration Guide
Configuring advanced features such as virtual private networks (VPNs),
IP Security (IPSec), multicast, routing policies, firewall filters, and class
of service (CoS)
J-series Services Router Advanced WAN Access
Configuration Guide
Managing users and operations, monitoring performance, upgrading
software, and diagnosing common problems
J-series Services Router Administration Guide
Using the J-Web interface
J-Web Interface User Guide
Using the CLI
JUNOS CLI User Guide
Typically, J-series documentation provides both general and specific information—for
example, a configuration overview, configuration examples, and verification methods.
Because you can configure and manage J-series routers in several ways, you can
choose from multiple sets of instructions to perform a task. To make best use of this
information:
■
If you are new to the topic—Read through the initial overview information, keep
the related JUNOS guide handy for details about the JUNOS hierarchy, and follow
the step-by-step instructions for your preferred interface.
■
If you are already familiar with the feature—Go directly to the instructions for the
interface of your choice, and follow the instructions. You can choose a J-Web
method, the JUNOS CLI, or a combination of methods based on the level of
complexity or your familiarity with the interface.
For many J-series features, you can use J-Web Quick Configuration pages to configure
the router quickly and easily without configuring each statement individually. For
more extensive configuration, use the J-Web configuration editor or CLI configuration
mode commands.
xvi
■
How to Use This Guide
About This Guide
To monitor, diagnose, and manage a router, use the J-Web interface or CLI operational
mode commands.
Document Conventions
Table 2 on page xvii defines the notice icons used in this guide.
Table 2: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Table 3 on page xvii defines the text and syntax conventions used in this guide.
Table 3: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this
Represents output that appears on the
terminal screen.
Italic text like this
■
Introduces important new terms.
■
Identifies book names.
■
Identifies RFC and Internet draft
titles.
Italic text like this
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
user@host> show chassis alarms
No alarms currently active
■
A policy term is a named structure
that defines match conditions and
actions.
■
JUNOS System Basics Configuration
Guide
■
RFC 1997, BGP Communities
Attribute
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Document Conventions
■
xvii
J-series™ Services Router Administration Guide
Table 3: Text and Syntax Conventions (continued)
Convention
Description
Examples
Plain text like this
Represents names of configuration
statements, commands, files, and
directories; IP addresses; configuration
hierarchy levels; or labels on routing
platform components.
■
< > (angle brackets)
Enclose optional keywords or variables.
stub ;
| (pipe symbol)
Indicates a choice between the mutually
exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the
same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Enclose a variable for which you can
substitute one or more values.
community name members [
community-ids ]
Indention and braces ( { } )
Identify a level in the configuration
hierarchy.
; (semicolon)
Identifies a leaf statement at a
configuration hierarchy level.
To configure a stub area, include
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
■
The console port is labeled
CONSOLE.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
J-Web GUI Conventions
Bold text like this
Represents J-Web graphical user
interface (GUI) items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of J-Web
selections.
■
In the Logical Interfaces box, select
All Interfaces.
■
To cancel the configuration, click
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Related Juniper Networks Documentation
J-series Services Routers are documented in multiple guides. Although the J-series
guides provide instructions for configuring and managing a Services Router with the
JUNOS CLI, they are not a comprehensive JUNOS software resource. For complete
documentation of the statements and commands described in J-series guides, see
the JUNOS software manuals listed in Table 4 on page xix.
xviii
■
Related Juniper Networks Documentation
About This Guide
Table 4: J-series Guides and Related JUNOS Software Publications
Chapter in a J-series Guide
Corresponding JUNOS Software Manual
Getting Started Guide for Your Router
“Services Router User Interface Overview”
■
JUNOS CLI User Guide
■
JUNOS System Basics Configuration Guide
“Establishing Basic Connectivity”
J-series Services Router Basic LAN and WAN Access Configuration Guide
“Using Services Router Configuration Tools”
“Interfaces Overview”
■
JUNOS CLI User Guide
■
JUNOS System Basics Configuration Guide
■
JUNOS Network Interfaces Configuration Guide
■
JUNOS Interfaces Command Reference
■
JUNOS Services Interfaces Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Network Interfaces Configuration Guide
■
JUNOS Interfaces Command Reference
■
JUNOS Network Interfaces Configuration Guide
■
JUNOS System Basics Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Routing Protocols Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
“Configuring DS1, DS3, Ethernet, and Serial Interfaces”
“Configuring Channelized T1/E1/ISDN PRI Interfaces”
“Configuring Digital Subscriber Line Interfaces
“Configuring Point-to-Point Protocol over Ethernet”
“Configuring ISDN”
“Configuring Link Services Interfaces”
“Configuring VoIP”
“Configuring uPIMs as Ethernet Switches”
“Routing Overview”
“Configuring Static Routes”
“Configuring a RIP Network”
“Configuring an OSPF Network”
“Configuring the IS-IS Protocol”
“Configuring BGP Sessions”
J-series Services Router Advanced WAN Access Configuration Guide
“Multiprotocol Label Switching Overview”
“Configuring Signaling Protocols for Traffic Engineering”
■
JUNOS MPLS Applications Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS VPNs Configuration Guide
“Configuring Virtual Private Networks”
“Configuring CLNS VPNs”
Related Juniper Networks Documentation
■
xix
J-series™ Services Router Administration Guide
Table 4: J-series Guides and Related JUNOS Software Publications (continued)
Chapter in a J-series Guide
Corresponding JUNOS Software Manual
“Configuring IPSec for Secure Packet Exchange”
■
JUNOS System Basics Configuration Guide
■
JUNOS Services Interfaces Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Multicast Protocols Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS Services Interfaces Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS Policy Framework Configuration Guide
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS Network Interfaces Configuration Guide
■
JUNOS Policy Framework Configuration Guide
■
JUNOS Services Interfaces Configuration Guide
■
Secure Configuration Guide for Common Criteria and
JUNOS-FIPS
■
JUNOS System Basics and Services Command Reference
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS Class of Service Configuration Guide
■
JUNOS System Basics and Services Command Reference
■
JUNOS System Basics Configuration Guide
■
Secure Configuration Guide for Common Criteria and
JUNOS-FIPS
“Multicast Overview”
“Configuring a Multicast Network”
“Configuring Data Link Switching”
“Policy Framework Overview”
“Configuring Routing Policies”
“Configuring NAT”
“Configuring Stateful Firewall Filters and NAT”
“Configuring Stateless Firewall Filters”
“Class-of-Service Overview”
“Configuring Class of Service”
J-series Services Router Administration Guide
“Managing User Authentication and Access”
“Setting Up USB Modems for Remote Management”
JUNOS Network Management Configuration Guide
“Configuring SNMP for Network Management”
“Configuring the Router as a DHCP Server”
JUNOS System Basics Configuration Guide
“Configuring Autoinstallation”
“Automating Network Operations and Troubleshooting”
JUNOS Configuration and Diagnostic Automation Guide
“Monitoring the Router and Routing Operations”
■
JUNOS System Basics and Services Command Reference
■
JUNOS Interfaces Command Reference
■
JUNOS Routing Protocols and Policies Command Reference
■
JUNOS System Log Messages Reference
■
Secure Configuration Guide for Common Criteria and
JUNOS-FIPS
“Monitoring Events and Managing System Log Files”
xx
■
Related Juniper Networks Documentation
About This Guide
Table 4: J-series Guides and Related JUNOS Software Publications (continued)
Chapter in a J-series Guide
Corresponding JUNOS Software Manual
“Configuring and Monitoring Alarms”
JUNOS System Basics Configuration Guide
“Performing Software Upgrades and Reboots”
JUNOS Software Installation and Upgrade Guide
“Managing Files”
JUNOS System Basics Configuration Guide
“Using Services Router Diagnostic Tools”
■
JUNOS System Basics and Services Command Reference
■
JUNOS Interfaces Command Reference
■
JUNOS Routing Protocols and Policies Command Reference
“Configuring Packet Capture”
JUNOS Services Interfaces Configuration Guide
“Configuring RPM Probes”
JUNOS System Basics and Services Command Reference
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be sure
to include the following information with your comments:
■
Document name
■
Document part number
■
Page number
■
Software release version (not required for Network Operations Guides [NOGs])
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need postsales technical support, you
can access our tools and resources online or open a case with JTAC.
■
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
■
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
■
JTAC Hours of Operation —The JTAC centers have resources available 24 hours
a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
Documentation Feedback
■
xxi
J-series™ Services Router Administration Guide
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
■
Find CSC offerings: http://www.juniper.net/customers/support/
■
Search for known bugs: http://www2.juniper.net/kb/
■
Find product documentation: http://www.juniper.net/techpubs/
■
Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/
■
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
■
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
■
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
■
Open a case online in the CSC Case Manager: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
■
Use the Case Manager tool in the CSC at http://www.juniper.net/cm/ .
■
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit
us at http://www.juniper.net/support/requesting-support.html.
xxii
■
Requesting Technical Support
Part 1
Configuring a Services Router for
Administration
■
Managing User Authentication and Access on page 3
■
Setting Up USB Modems for Remote Management on page 29
■
Configuring SNMP for Network Management on page 47
■
Configuring the Router as a DHCP Server on page 63
■
Configuring Autoinstallation on page 81
■
Automating Network Operations and Troubleshooting on page 89
Configuring a Services Router for Administration
■
1
J-series™ Services Router Administration Guide
2
■
Configuring a Services Router for Administration
Chapter 1
Managing User Authentication and Access
You can use either J-Web Quick Configuration or a configuration editor to manage
system functions, including RADIUS and TACACS+ servers, and user login accounts.
This chapter contains the following topics. For more information about system
management, see the JUNOS System Basics Configuration Guide.
If the router is operating in a Common Criteria environment, see the Secure
Configuration Guide for Common Criteria and JUNOS-FIPS.
■
User Authentication Terms on page 3
■
User Authentication Overview on page 4
■
Before You Begin on page 8
■
Managing User Authentication with Quick Configuration on page 8
■
Managing User Authentication with a Configuration Editor on page 12
■
Recovering the Root Password on page 21
■
Securing the Console Port on page 23
■
Accessing Remote Devices with the CLI on page 24
■
Configuring Password Retry Limits for Telnet and SSH Access on page 26
User Authentication Terms
Before performing system management tasks, become familiar with the terms defined
in Table 5 on page 3.
Table 5: System Management Terms
Term
Definition
Remote Authentication Dial-In User
Service (RADIUS)
Authentication method for validating users who attempt to access one or more
Services Routers by means of Telnet. RADIUS is a multivendor IETF standard
whose features are more widely accepted than those of TACACS+ or other
proprietary systems. All one-time-password system vendors support RADIUS.
Terminal Access Controller Access
Control System Plus (TACACS+)
Authentication method for validating users who attempt to access one or more
Services Routers by means of Telnet.
User Authentication Terms
■
3
J-series™ Services Router Administration Guide
User Authentication Overview
This section contains the following topics:
■
User Authentication on page 4
■
User Accounts on page 4
■
Login Classes on page 5
■
Template Accounts on page 7
User Authentication
The JUNOS software supports three methods of user authentication: local password
authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal
Access Controller Access Control System Plus (TACACS+).
With local password authentication, you configure a password for each user allowed
to log into the Services Router.
RADIUS and TACACS+ are authentication methods for validating users who attempt
to access the router using Telnet. Both are distributed client/server systems—the
RADIUS and TACACS+ clients run on the router, and the server runs on a remote
network system.
You can configure the router to use RADIUS or TACACS+ authentication, or both,
to validate users who attempt to access the router. If you set up both authentication
methods, you also can configure which the router will try first.
User Accounts
User accounts provide one way for users to access the Services Router. Users can
access the router without accounts if you configured RADIUS or TACACS+ servers,
as described in “Managing User Authentication with Quick Configuration” on page
8 and “Managing User Authentication with a Configuration Editor” on page 12.
After you have created an account, the router creates a home directory for the user.
An account for the user root is always present in the configuration. For information
about configuring the password for the user root, see the Getting Started Guide for
your router. For each user account, you can define the following:
4
■
■
Username—Name that identifies the user. It must be unique within the router.
Do not include spaces, colons, or commas in the username.
■
User's full name—If the full name contains spaces, enclose it in quotation marks
(“ ”). Do not include colons or commas.
■
User identifier (UID)—Numeric identifier that is associated with the user account
name. The identifier must be in the range 100 through 64000 and must be unique
within the router. If you do not assign a UID to a username, the software assigns
one when you commit the configuration, preferring the lowest available number.
■
User's access privilege—You can create login classes with specific permission
bits or use one of the default classes listed in Table 6 on page 5.
■
Authentication method or methods and passwords that the user can use to access
the router—You can use SSH or an MD5 password, or you can enter a plain-text
User Authentication Overview
Chapter 1: Managing User Authentication and Access
password that the JUNOS software encrypts using MD5-style encryption before
entering it in the password database. If you configure the plain-text-password
option, you are prompted to enter and confirm the password.
Login Classes
All users who log into the Services Router must be in a login class. You can define
any number of login classes. With login classes, you define the following:
■
Access privileges users have when they are logged into the router. For more
information, see “Permission Bits” on page 5.
■
Commands and statements that users can and cannot specify. For more
information, see “Denying or Allowing Individual Commands” on page 7.
■
How long a login session can be idle before it times out and the user is logged
off.
You then apply one login class to an individual user account. The software contains
a few predefined login classes, which are listed in Table 6 on page 5. The predefined
login classes cannot be modified.
Table 6: Predefined Login Classes
Login Class
Permission Bits Set
operator
clear, network, reset, trace, view
read-only
view
super-user and superuser
all
unauthorized
None
Permission Bits
Each top-level command-line interface (CLI) command and each configuration
statement has an access privilege level associated with it. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. The access privileges for each login class are defined by one or
more permission bits (see Table 7 on page 6).
Two forms for the permissions control the individual parts of the configuration:
■
"Plain" form—Provides read-only capability for that permission type. An example
is interface.
■
Form that ends in -control—Provides read and write capability for that permission
type. An example is interface-control.
User Authentication Overview
■
5
J-series™ Services Router Administration Guide
Table 7: Permission Bits for Login Classes
6
Permission Bit
Access
admin
Can view user account information in configuration mode and with the show configuration
command.
admin-control
Can view user accounts and configure them (at the [edit system login] hierarchy level).
access
Can view the access configuration in configuration mode and with the show configuration
operational mode command.
access-control
Can view and configure access information (at the [edit access] hierarchy level).
all
Has all permissions.
clear
Can clear (delete) information learned from the network that is stored in various network
databases (using the clear commands).
configure
Can enter configuration mode (using the configure command) and commit configurations
(using the commit command).
control
Can perform all control-level operations (all operations configured with the -control
permission bits).
field
Reserved for field (debugging) support.
firewall
Can view the firewall filter configuration in configuration mode.
firewall-control
Can view and configure firewall filter information (at the [edit firewall] hierarchy level).
floppy
Can read from and write to the removable media.
interface
Can view the interface configuration in configuration mode and with the show
configuration operational mode command.
interface-control
Can view chassis, class of service, groups, forwarding options, and interfaces
configuration information. Can configure chassis, class of service, groups, forwarding
options, and interfaces (at the [edit] hierarchy).
maintenance
Can perform system maintenance, including starting a local shell on the router and
becoming the superuser in the shell (by issuing the su root command), and can halt and
reboot the router (using the request system commands).
network
Can access the network by entering the ping, ssh, telnet, and traceroute commands.
reset
Can restart software processes using the restart command and can configure whether
software processes are enabled or disabled (at the [edit system processes] hierarchy
level).
rollback
Can use the rollback command to return to a previously committed configuration other
than the most recently committed one.
routing
Can view general routing, routing protocol, and routing policy configuration information
in configuration and operational modes.
■
User Authentication Overview
Chapter 1: Managing User Authentication and Access
Table 7: Permission Bits for Login Classes (continued)
Permission Bit
Access
routing-control
Can view general routing, routing protocol, and routing policy configuration information
and configure general routing (at the [edit routing-options] hierarchy level), routing
protocols (at the [edit protocols] hierarchy level), and routing policy (at the [edit
policy-options] hierarchy level).
secret
Can view passwords and other authentication keys in the configuration.
secret-control
Can view passwords and other authentication keys in the configuration and can modify
them in configuration mode.
security
Can view security configuration in configuration mode and with the show configuration
operational mode command.
security-control
Can view and configure security information (at the [edit security] hierarchy level).
shell
Can start a local shell on the router by entering the start shell command.
snmp
Can view SNMP configuration information in configuration and operational modes.
snmp-control
Can view SNMP configuration information and configure SNMP (at the [edit snmp]
hierarchy level).
system
Can view system-level information in configuration and operational modes.
system-control
Can view system-level configuration information and configure it (at the [edit system]
hierarchy level).
trace
Can view trace file settings in configuration and operational modes.
trace-control
Can view trace file settings and configure trace file properties.
view
Can use various commands to display current systemwide, routing table, and
protocol-specific values and statistics.
Denying or Allowing Individual Commands
By default, all top-level CLI commands have associated access privilege levels. Users
can execute only those commands and view only those statements for which they
have access privileges. For each login class, you can explicitly deny or allow the use
of operational and configuration mode commands that are otherwise permitted or
not allowed by a permission bit.
Template Accounts
You use local user template accounts when you need different types of templates.
Each template can define a different set of permissions appropriate for the group of
users who use that template. These templates are defined locally on the Services
Router and referenced by the TACACS+ and RADIUS authentication servers.
User Authentication Overview
■
7
J-series™ Services Router Administration Guide
When you configure local user templates and a user logs in, the JUNOS software
issues a request to the authentication server to authenticate the user's login name.
If a user is authenticated, the server returns the local username to the router, which
then determines whether a local username is specified for that login name
(local-username for TACACS+, Juniper-Local-User for RADIUS). If so, the router selects
the appropriate local user template locally configured on the router. If a local user
template does not exist for the authenticated user, the router defaults to the remote
template.
For more information, see “Setting Up Template Accounts” on page 18.
Before You Begin
Before you perform any system management tasks, you must perform the initial
Services Router configuration described in the Getting Started Guide for your router.
Managing User Authentication with Quick Configuration
This section contains the following topics:
■
Adding a RADIUS Server for Authentication on page 8
■
Adding a TACACS+ Server for Authentication on page 9
■
Configuring System Authentication on page 10
■
Adding New Users on page 11
Adding a RADIUS Server for Authentication
You can use the Users Quick Configuration page for RADIUS servers to configure a
RADIUS server for system authentication. This Quick Configuration page allows you
to specify the IP address and secret (password) of the RADIUS server.
Figure 1 on page 8 shows the Users Quick Configuration page for RADIUS servers.
Figure 1: Users Quick Configuration Page for RADIUS Servers
ERROR: Unresolved graphic fileref="s020241.gif" not found in
"\\teamsite1\default\main\TechPubsWorkInProgress\STAGING\images\".
To configure a RADIUS server with Quick Configuration:
1.
In the J-Web interface, select Configuration>Quick Configuration>Users.
2.
Under RADIUS servers, click Add to configure a RADIUS server.
3.
Enter information into the Users Quick Configuration page for RADIUS servers,
as described in Table 8 on page 9.
4.
Click one of the following buttons on the Users Quick Configuration page for
RADIUS servers:
■
8
■
Before You Begin
To apply the configuration and return to the Users Quick Configuration page,
click OK.
Chapter 1: Managing User Authentication and Access
■
To cancel your entries and return to the Users Quick Configuration page,
click Cancel.
Table 8: Users Quick Configuration for RADIUS Servers Summary
Field
Function
Your Action
RADIUS Server Address
(required)
Identifies the IP address of the RADIUS
server.
Type the RADIUS server’s 32-bit IP address, in
dotted decimal notation.
RADIUS Server Secret (required)
The secret (password) of the RADIUS
server.
Type the secret (password) of the RADIUS server.
Secrets can contain spaces. The secret used must
match that used by the RADIUS server.
Verify RADIUS Server Secret
(required)
Verifies the secret (password) of the
RADIUS server is entered correctly.
Retype the secret of the RADIUS server.
RADIUS Server
Adding a TACACS+ Server for Authentication
You can use the Users Quick Configuration page for TACACS+ servers to configure
a TACACS+ server for system authentication. This Quick Configuration page allows
you to specify the IP address and secret of the TACACS+ server.
Figure 2 on page 9 shows the Users Quick Configuration page for TACACS+ servers.
Figure 2: Users Quick Configuration Page for TACACS+ Servers
ERROR: Unresolved graphic fileref="s020242.gif" not found in
"\\teamsite1\default\main\TechPubsWorkInProgress\STAGING\images\".
To configure a TACACS+ server with Quick Configuration:
1.
In the J-Web interface, select Configuration>Quick Configuration>Users.
2.
Under TACACS+ servers, click Add to configure a TACACS+ server.
3.
Enter information into the Users Quick Configuration page for TACACS+ servers,
as described in Table 9 on page 10.
4.
Click one of the following buttons on the Users Quick Configuration page for
TACACS+ servers:
■
To apply the configuration and return to the Users Quick Configuration page,
click OK.
■
To cancel your entries and return to the Users Quick Configuration page,
click Cancel.
Managing User Authentication with Quick Configuration
■
9
J-series™ Services Router Administration Guide
Table 9: Users Quick Configuration for TACACS+ Servers Summary
Field
Function
Your Action
TACACS+ Server Address
(required)
Identifies the IP address of the
TACACS+ server.
Type the TACACS+ server’s 32-bit IP address, in
dotted decimal notation.
TACACS+ Server Secret
(required)
The secret (password) of the TACACS+
server.
Type the secret (password) of the TACACS+
server. Secrets can contain spaces. The secret
used must match that used by the TACACS+
server.
Verify TACACS+ Server Secret
(required)
Verifies the secret (password) of the
TACACS+ server is entered correctly.
Retype the secret of the TACACS+ server.
TACACS+ Server
Configuring System Authentication
On the Users Quick Configuration page, you can configure the authentication methods
the Services Router uses to verify that a user can gain access. For each login attempt,
the router tries the authentication methods in order, starting with the first one, until
the password matches.
If you do not configure system authentication, users are verified based on their
configured local passwords.
Figure 3 on page 10 shows the Users Quick Configuration page.
Figure 3: Users Quick Configuration Page
ERROR: Unresolved graphic fileref="s020243.gif" not found in
"\\teamsite1\default\main\TechPubsWorkInProgress\STAGING\images\".
To configure system authentication with Quick Configuration:
1.
In the J-Web interface, select Configuration>Quick Configuration>Users.
2.
Under Authentication Servers, select the check box next to each authentication
method the router must use when users log in:
3.
10
■
■
RADIUS
■
TACACS+
■
Local Password
Click one of the following buttons on the Users Quick Configuration page:
■
To apply the configuration and stay in the Users Quick Configuration page,
click Apply.
■
To apply the configuration and return to the Quick Configuration page, click
OK.
■
To cancel your entries and return to the Quick Configuration page, click
Cancel.
Managing User Authentication with Quick Configuration
Chapter 1: Managing User Authentication and Access
Adding New Users
You can use the Users Quick Configuration page for user information to add new
users to a Services Router. For each account, you define a login name and password
for the user and specify a login class for access privileges.
Figure 4 on page 11 shows the Quick Configuration page for adding a user.
Figure 4: Add a User Quick Configuration Page
ERROR: Unresolved graphic fileref="s020244.gif" not found in
"\\teamsite1\default\main\TechPubsWorkInProgress\STAGING\images\".
To configure users with Quick Configuration:
1.
In the J-Web interface, select Configuration>Quick Configuration>Users.
2.
Under Users, click Add to add a new user.
3.
Enter information into the Add a User Quick Configuration page, as described
in Table 10 on page 11.
4.
Click one of the following buttons on the Add a User Quick Configuration page:
■
To apply the configuration and return to the Users Quick Configuration page,
click OK.
■
To cancel your entries and return to the Users Quick Configuration page,
click Cancel.
Table 10: Add a User Quick Configuration Page Summary
Field
Function
Your Action
Username (required)
Name that identifies the user.
Type the username. It must be unique within the router. Do not
include spaces, colons, or commas in the username.
Full Name
The user's full name.
Type the user's full name. If the full name contains spaces, enclose
it in quotation marks. Do not include colons or commas.
Login Class (required)
Defines the user's access
privilege.
From the list, select the user's login class:
User Information
■
operator
■
read-only
■
super-user/superuser
■
unauthorized
This list also includes any user-defined login classes. For more
information, see “Login Classes” on page 5.
Managing User Authentication with Quick Configuration
■
11
J-series™ Services Router Administration Guide
Table 10: Add a User Quick Configuration Page Summary (continued)
Field
Function
Your Action
Login Password
(required)
The login password for this
user.
Type the login password for this user. The login password must
meet the following criteria:
Verify Login Password
(required)
Verifies the login password
for this user.
■
The password must be at least 6 characters long.
■
You can include most character classes in a password
(alphabetic, numeric, and special characters), except control
characters.
■
The password must contain at least one change of case or
character class.
Retype the login password for this user.
Managing User Authentication with a Configuration Editor
This section contains the following topics:
■
Setting Up RADIUS Authentication on page 12
■
Setting Up TACACS+ Authentication on page 13
■
Configuring Authentication Order on page 15
■
Controlling User Access on page 16
■
Setting Up Template Accounts on page 18
Setting Up RADIUS Authentication
To use RADIUS authentication, you must configure at least one RADIUS server.
The procedure provided in this section identifies the RADIUS server, specifies the
secret (password) of the RADIUS server, and sets the source address of the Services
Router's RADIUS requests to the loopback address of the router. The procedure uses
the following sample values:
■
The RADIUS server's IP address is 172.16.98.1.
■
The RADIUS server's secret is Radiussecret1.
■
The loopback address of the router is 10.0.0.1.
To configure RADIUS authentication:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 11 on page 13.
3.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS authentication, you must create user template
accounts and specify a system authentication order.
12
■
Managing User Authentication with a Configuration Editor
Chapter 1: Managing User Authentication and Access
4.
Go on to one of the following procedures:
■
To specify a system authentication order, see “Configuring Authentication
Order” on page 15.
■
To configure a remote user template account, see “Creating a Remote
Template Account” on page 19.
■
To configure local user template accounts, see “Creating a Local Template
Account” on page 20.
Table 11: Setting Up RADIUS Authentication
Task
J-Web Configuration Editor
Navigate to the System level in the
configuration hierarchy.
1.
Add a new RADIUS server
In the J-Web interface, select
Configuration>View and Edit>Edit
Configuration.
CLI Configuration Editor
From the [edit] hierarchy level, enter
edit system
2.
Next to System, click Configure or
Edit.
1.
In the Radius server box, click Add
new entry.
Set the IP address of the RADIUS
server:
2.
In the Address box, type the IP
address of the RADIUS server:
set radius-server address 172.16.98.1
172.16.98.1
Specify the shared secret (password) of
the RADIUS server. The secret is stored
as an encrypted value in the
configuration database.
In the Secret box, type the shared secret of
the RADIUS server:
Set the shared secret of the RADIUS
server:
Radiussecret1
set radius-server 172.16.98.1 secret
Radiussecret1
Specify the source address to be
included in the RADIUS server requests
by the router. In most cases, you can
use the loopback address of the router.
In the Source address box, type the
loopback address of the router:
Set the router's loopback address as
the source address:
10.0.0.1
set radius-server 172.16.98.1
source-address 10.0.0.1
Setting Up TACACS+ Authentication
To use TACACS+ authentication, you must configure at least one TACACS+ server.
The procedure provided in this section identifies the TACACS+ server, specifies the
secret (password) of the TACACS+ server, and sets the source address of the Services
Router's TACACS+ requests to the loopback address of the router. This procedure
uses the following sample values:
■
The TACACS+ server's IP address is 172.16.98.24.
■
The TACACS+ server's secret is Tacacssecret1.
■
The loopback address of the router is 10.0.0.1.
Managing User Authentication with a Configuration Editor
■
13
J-series™ Services Router Administration Guide
To configure TACACS+ authentication:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 12 on page 14.
3.
If you are finished configuring the network, commit the configuration.
To completely set up TACACS+ authentication, you must create user template
accounts and specify a system authentication order.
4.
Go on to one of the following procedures:
■
To specify a system authentication order, see “Configuring Authentication
Order” on page 15.
■
To configure a remote user template account, see “Creating a Remote
Template Account” on page 19.
■
To configure local user template accounts, see “Creating a Local Template
Account” on page 20.
Table 12: Setting Up TACACS+ Authentication
Task
J-Web Configuration Editor
Navigate to the System level in the
configuration hierarchy.
1.
Add a new TACACS+ server
In the J-Web interface, select
Configuration>View and Edit>Edit
Configuration.
2.
Next to System, click Configure or
Edit.
1.
In the Tacplus server box, click Add
new entry.
2.
In the Address box, type the IP
address of the TACACS+ server:
CLI Configuration Editor
From the [edit] hierarchy level, enter
edit system
Set the IP address of the TACACS+
server:
set tacplus-server address
172.16.98.24
172.16.98.24
Specify the shared secret (password) of
the TACACS+ server. The secret is
stored as an encrypted value in the
configuration database.
In the Secret box, type the shared secret of
the TACACS+ server:
Set the shared secret of the TACACS+
server:
Tacacssecret1
set tacplus-server 172.16.98.24 secret
Tacacssecret1
Specify the source address to be
included in the TACACS+ server
requests by the router. In most cases,
you can use the loopback address of the
router.
In the Source address box, type the
loopback address of the router:
Set the router's loopback address as
the source address:
10.0.0.1
set tacplus-server 172.16.98.24
source-address 10.0.0.1
14
■
Managing User Authentication with a Configuration Editor
Chapter 1: Managing User Authentication and Access
Configuring Authentication Order
The procedure provided in this section configures the Services Router to attempt
user authentication with the local password first, then with the RADIUS server, and
finally with the TACACS+ server.
To configure authentication order:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 13 on page 15.
3.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure
at least one RADIUS or TACACS+ server and create user template accounts.
4.
Go on to one of the following procedures:
■
To configure a RADIUS server, see “Setting Up RADIUS
Authentication” on page 12.
■
To configure a TACACS+ server, see “Setting Up TACACS+
Authentication” on page 13.
■
To configure a remote user template account, see “Creating a Remote
Template Account” on page 19.
■
To configure local user template accounts, see “Creating a Local Template
Account” on page 20.
Table 13: Configuring Authentication Order
Task
J-Web Configuration Editor
Navigate to the System level in
the configuration hierarchy.
1.
In the J-Web interface, select
Configuration>View and Edit>Edit
Configuration.
2.
Next to System, click Configure or Edit.
1.
In the Authentication order box, click Add
new entry.
2.
In the list, select radius.
3.
Click OK.
insert system authentication-order radius
after password
1.
In the Authentication Order box, click Add
new entry.
Insert the tacplus statement in the
authentication order:
2.
In the list, select tacplus.
3.
Click OK.
Add RADIUS authentication to
the authentication order.
Add TACACS+ authentication to
the authentication order.
CLI Configuration Editor
From the [edit] hierarchy level, enter
edit system
Insert the radius statement in the
authentication order:
insert system authentication-order tacplus
after radius
Managing User Authentication with a Configuration Editor
■
15
J-series™ Services Router Administration Guide
Controlling User Access
This section contains the following topics:
■
Defining Login Classes on page 16
■
Creating User Accounts on page 17
Defining Login Classes
You can define any number of login classes. You then apply one login class to an
individual user account, as described in “Creating User Accounts” on page 17 and
“Setting Up Template Accounts” on page 18.
The procedure provided in this section creates a sample login class named
operator-and-boot with the following privileges:
■
The operator-and-boot login class can reboot the Services Router using the request
system reboot command.
■
The operator-and-boot login class can also use commands defined in the clear,
network, reset, trace, and view permission bits. For more information, see
“Permission Bits” on page 5.
To define login classes:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 14 on page 16.
3.
If you are finished configuring the network, commit the configuration.
4.
Go on to one of the following procedures:
■
To create user accounts, see “Creating User Accounts” on page 17.
■
To create shared user accounts, see “Setting Up Template
Accounts” on page 18.
Table 14: Defining Login Classes
Task
J-Web Configuration Editor
Navigate to the System
Login level in the
configuration hierarchy.
1.
In the J-Web interface, select Configuration>View
and Edit>Edit Configuration.
2.
Next to System, click Configure or Edit.
3.
Next to Login, click Configure or Edit.
16
■
Managing User Authentication with a Configuration Editor
CLI Configuration Editor
From the [edit] hierarchy level,
enter
edit system login
Chapter 1: Managing User Authentication and Access
Table 14: Defining Login Classes (continued)
Task
J-Web Configuration Editor
CLI Configuration Editor
Create a login class named
operator-and-boot with the
ability to reboot the router.
1.
Next to Class, click Add new entry.
2.
Type the name of the login class:
Set the name of the login class and
the ability to use the request system
reboot command:
operator-and-boot
3.
In the Allow commands box, type the request system
reboot command enclosed in quotation marks:
set class operator-and-boot
allow-commands “request system
reboot”
“request system reboot”
Give the operator-and-boot
login class operator
privileges.
4.
Click OK.
1.
Next to Permissions, click Add new entry.
2.
In the Value list, select clear.
3.
Click OK.
4.
Next to Permissions, click Add new entry.
5.
In the Value list, select network.
6.
Click OK.
7.
Next to Permissions, click Add new entry.
8.
In the Value list, select reset.
9.
Click OK.
Set the permission bits for the
operator-and-boot login class:
set class operator-and-boot
permissions [clear network reset
trace view]
10. Next to Permissions, click Add new entry.
11. In the Value list, select trace.
12. Click OK.
13. Next to Permissions, click Add new entry.
14. In the Value list, select view.
15. Click OK.
Creating User Accounts
User accounts provide one way for users to access the Services Router. (Users can
access the router without accounts if you configured RADIUS or TACACS+ servers,
as described in “Setting Up RADIUS Authentication” on page 12 and “Setting Up
TACACS+ Authentication” on page 13.)
The procedure provided in this section creates a sample user named cmartin with
the following characteristics:
■
The user cmartin belongs to the superuser login class.
■
The user cmartin uses an encrypted password, $1$14c5.$sBopasdFFdssdfFFdsdfs0.
Managing User Authentication with a Configuration Editor
■
17
J-series™ Services Router Administration Guide
To create user accounts:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 15 on page 18.
3.
If you are finished configuring the network, commit the configuration.
Table 15: Creating User Accounts
Task
J-Web Configuration Editor
CLI Configuration Editor
Navigate to the System Login level in
the configuration hierarchy.
1.
From the [edit] hierarchy level, enter
Create a user named cmartin who
belongs to the superuser login class.
Define the encrypted password for
cmartin.
In the J-Web interface, select
Configuration>View and
Edit>Edit Configuration.
2.
Next to System, click Configure or
Edit.
3.
Next to Login, click Configure or
Edit.
1.
Next to User, click Add new entry.
2.
In the User name box, type cmartin.
3.
In the Class box, type superuser.
4.
Click OK.
1.
Next to Authentication, click
Configure.
2.
In the Encrypted password box,
type
edit system login
Set the username and the login class for
the user:
set user cmartin class superuser
Set the encrypted password for cmartin.
set user cmartin authentication
encrypted-password
$1$14c5.$sBopasdFFdssdfFFdsdfs0
$1$14c5.$sBopasdFFdssdfFFdsdfs0
3.
Click OK.
Setting Up Template Accounts
You can create template accounts that are shared by a set of users when you are
using RADIUS or TACACS+ authentication. When a user is authenticated by a
template account, the CLI username is the login name, and the privileges, file
ownership, and effective user ID are inherited from the template account.
This section contains the following topics:
18
■
■
Creating a Remote Template Account on page 19
■
Creating a Local Template Account on page 20
Managing User Authentication with a Configuration Editor
Chapter 1: Managing User Authentication and Access
Creating a Remote Template Account
You can create a remote template that is applied to users authenticated by RADIUS
or TACACS+ that do not belong to a local template account.
By default, the JUNOS software uses the remote template account when
■
The authenticated user does not exist locally on the Services Router.
■
The authenticated user's record in the RADIUS or TACACS+ server specifies
local user, or the specified local user does not exist locally on the router.
The procedure provided in this section creates a sample user named remote that
belongs to the operator login class.
To create a remote template account:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 16 on page 19.
3.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure
at least one RADIUS or TACACS+ server and specify a system authentication
order.
4.
Go on to one of the following procedures:
■
To configure a RADIUS server, see “Setting Up RADIUS
Authentication” on page 12.
■
To configure a TACACS+ server, see “Setting Up TACACS+
Authentication” on page 13.
■
To specify a system authentication order, see “Configuring Authentication
Order” on page 15.
Table 16: Creating a Remote Template Account
Task
J-Web Configuration Editor
CLI Configuration Editor
Navigate to the System Login
level in the configuration
hierarchy.
1.
In the J-Web interface, select
Configuration>View and Edit>Edit
Configuration.
From the [edit] hierarchy level,
enter
2.
Next to System, click Configure or Edit.
3.
Next to Login, click Configure or Edit.
1.
Next to User, click Add new entry.
2.
In the User name box, type remote.
3.
In the Class box, type operator.
4.
Click OK.
Create a user named remote who
belongs to the operator login class.
edit system login
Set the username and the login
class for the user:
set user remote class operator
Managing User Authentication with a Configuration Editor
■
19
J-series™ Services Router Administration Guide
Creating a Local Template Account
You can create a local template that is applied to users authenticated by RADIUS or
TACACS+ that are assigned to the local template account. You use local template
accounts when you need different types of templates. Each template can define a
different set of permissions appropriate for the group of users who use that template.
The procedure provided in this section creates a sample user named admin that
belongs to the superuser login class.
To create a local template account:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 17 on page 20.
3.
If you are finished configuring the network, commit the configuration.
To completely set up RADIUS or TACACS+ authentication, you must configure
at least one RADIUS or TACACS+ server and specify a system authentication
order
4.
Go on to one of the following procedures:
■
To configure a RADIUS server, see “Setting Up RADIUS
Authentication” on page 12.
■
To configure a TACACS+ server, see “Setting Up TACACS+
Authentication” on page 13.
■
To configure a system authentication order, see “Configuring Authentication
Order” on page 15.
Table 17: Creating a Local Template Account
Task
J-Web Configuration Editor
CLI Configuration Editor
Navigate to the System Login
level in the configuration
hierarchy.
1.
In the J-Web interface, select
Configuration>View and Edit>Edit
Configuration.
From the [edit] hierarchy level,
enter
2.
Next to System, click Configure or Edit.
3.
Next to Login, click Configure or Edit.
1.
Next to User, click Add new entry.
2.
In the User name box, type admin.
3.
In the Class box, type superuser.
4.
Click OK.
Create a user named admin who
belongs to the superuser login
class.
20
■
Managing User Authentication with a Configuration Editor
edit system login
Set the username and the login
class for the user:
set user admin class superuser
Chapter 1: Managing User Authentication and Access
Recovering the Root Password
If you forget the root password for the router, you can use the password recovery
procedure to reset the root password.
NOTE: You need console access to recover the root password.
To recover the root password:
1.
Power off the router by pressing the power button on the front panel.
2.
Turn off the power to the management device, such as a PC or laptop computer,
that you want to use to access the CLI.
3.
Plug one end of the Ethernet rollover cable supplied with the router into the
RJ-45 to DB-9 serial port adapter supplied with the router (see Figure 5 on page
21 and Figure 6 on page 22).
4.
Plug the RJ-45 to DB-9 serial port adapter into the serial port on the management
device (see Figure 5 on page 21 and Figure 6 on page 22).
5.
Connect the other end of the Ethernet rollover cable to the console port on the
router (see Figure 5 on page 21 and Figure 6 on page 22).
Figure 5: Connecting to the Console Port on the J2300 Services Router
Recovering the Root Password
■
21
J-series™ Services Router Administration Guide
Figure 6: Connecting to the Console Port on the J4350 or J6350 Services Router
6.
Turn on the power to the management device.
7.
On the management device, start your asynchronous terminal emulation
application (such as Microsoft Windows Hyperterminal) and select the appropriate
COM port to use (for example, COM1).
8.
Configure the port settings as follows:
9.
■
Bits per second: 9600
■
Data bits: 8
■
Parity: None
■
Stop bits: 1
■
Flow control: None
Power on the router by pressing the power button on the front panel. Verify that
the POWER LED on the front panel turns green.
The terminal emulation screen on your management device displays the router's
boot sequence.
10. When the following prompt appears, press the Spacebar to access the router's
bootstrap loader command prompt:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...
11. At the following prompt, enter boot -s to start up the system in single-user mode.
ok boot -s
22
■
Recovering the Root Password
Chapter 1: Managing User Authentication and Access
12. At the following prompt, enter recovery to start the root password recovery
procedure.
Enter full pathname of shell or 'recovery' for root password recovery or
RETURN for /bin/sh: recovery
13. Enter configuration mode in the CLI.
14. Set the root password. For example:
user@host# set system root-authentication plain-text-password
For more information about configuring the root password, see the JUNOS System
Basics Configuration Guide.
15. At the following prompt, enter the new root password. For example:
New password: juniper1
Retype new password:
16. At the second prompt, reenter the new root password.
17. If you are finished configuring the network, commit the configuration.
root@host# commit
commit complete
18. Exit configuration mode in the CLI.
19. Exit operational mode in the CLI.
20. At the prompt, enter y to reboot the router.
Reboot the system? [y/n] y
Securing the Console Port
You can use the console port on the Services Router to connect to the Routing Engine
through an RJ-45 serial cable. From the console port, you can use the CLI to configure
the router. By default, the console port is enabled. To secure the console port, you
can configure the Services Router to do the following:
■
Log out the console session when you unplug the serial cable connected to the
console port.
■
Disable root login connections to the console.
■
Disable the console port. We recommend disabling the console port to prevent
unauthorized access to the Services Router, especially when the router is used
as customer premises equipment (CPE).
Securing the Console Port
■
23
J-series™ Services Router Administration Guide
In a Common Criteria environment, you must disable the console port. For more
information, see the Secure Configuration Guide for Common Criteria and
JUNOS-FIPS.
To secure the console port:
1.
Navigate to the top of the configuration hierarchy in either the J-Web or CLI
configuration editor.
2.
Perform the configuration tasks described in Table 18 on page 24.
3.
If you are finished configuring the network, commit the configuration.
Table 18: Securing the Console Port
Task
J-Web Configuration Editor
Navigate to the
Console level in the
configuration
hierarchy.
1.
In the J-Web interface, select Configuration>View
and Edit>Edit Configuration.
2.
Next to System, click Configure or Edit.
3.
Next to Ports, click Configure or Edit.
4.
Next to Console, click Configure or Edit.
1.
Select one of the following check boxes:
Secure the console
port.
From the [edit] hierarchy level, enter
edit system ports console
Do one of the following:
■
Disable—Console port is disabled.
■
■
Insecure—Root login connections to the
console are disabled.
■
Log out on disconnect—Logs out the console
session when the serial cable connected to
the console port is unplugged.
■
■
2.
CLI Configuration Editor
Click OK.
To disable the console port, enter
set disable
To disable root login connections to the
console, enter
set insecure
To log out the console session when the
serial cable connected to the console
port is unplugged, enter
set log-out-on-disconnect
Accessing Remote Devices with the CLI
This section contains the following topics:
■
Using the telnet Command on page 24
■
Using the ssh Command on page 25
Using the telnet Command
You can use the CLI telnet command to open a Telnet session to a remote device:
user@host> telnet host <8bit>
Source Exif Data:
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Title :
Creator : Juniper Networks Stylesheets
Author : Unknown
Producer : XEP 4.6 build 20060515
Trapped : False
Create Date : 2008:04:14 14:25:01
Modify Date : 2008:04:14 14:25:01
Page Count : 332
Page Mode : UseOutlines
EXIF Metadata provided by EXIF.tools