Juniper Networks J-Series Managing User Authentication and Access

Chapter 1

Managing User Authentication and Access

You can use either J-Web Quick Configuration or a configuration editor to manage

system functions, including RADIUS and TACACS+ servers, and user login accounts.

This chapter contains the following topics. For more information about system

management, see the JUNOS System Basics Configuration Guide.

If the router is operating in a Common Criteria environment, see the Secure

Configuration Guide for Common Criteria and JUNOS-FIPS.

■User Authentication Terms on page 3

■User Authentication Overview on page 4

■Before You Begin on page 8

■Managing User Authentication with Quick Configuration on page 8

■Managing User Authentication with a Configuration Editor on page 12

■Recovering the Root Password on page 21

■Securing the Console Port on page 23

■Accessing Remote Devices with the CLI on page 24

■Configuring Password Retry Limits for Telnet and SSH Access on page 26

User Authentication Terms

Before performing system management tasks, become familiar with the terms defined

in Table 5 on page 3.

Table 5: System Management Terms

DefinitionTerm

Authentication method for validating users who attempt to access one or more

Services Routers by means of Telnet. RADIUS is a multivendor IETF standard

whose features are more widely accepted than those of TACACS+ or other

proprietary systems. All one-time-password system vendors support RADIUS.

Remote Authentication Dial-In User

Service (RADIUS)

Authentication method for validating users who attempt to access one or more

Services Routers by means of Telnet.

Terminal Access Controller Access

Control System Plus (TACACS+)

User Authentication Terms ■3

Contents

Main J-series Services Router Administration Guide Release 9.1 ii End User License Agreement iii iv Abbreviated Table of Contents Page Table of Contents Part 1 Configuring a Services Router for Administration Page Page Part 2 Monitoring a Services Router Part 3 Managing Services Router Software Part 4 Diagnosing Performance and Network Problems Page Part 5 Index About This Guide Objectives Audience How to Use This Guide To monitor, diagnose, and manage a router, use the J-Web interface or CLI operational mode commands. Document Conventions Table 2 on page xvii defines the notice icons used in this guide. Table 2: Notice Icons Table 3 on page xvii defines the text and syntax conventions used in this guide. Table 3: Text and Syntax Conventions Related Juniper Networks Documentation xviii Table 4: J-series Guides and Related JUNOS Software Publications Table 4: J-series Guides and Related JUNOS Software Publications (continued) xx Documentation Feedback Requesting Technical Support Page Part 1 Configuring a Services Router for Administration Page Chapter 1 Managing User Authentication and Access User Authentication Terms User Authentication Overview User Authentication User Accounts Login Classes Permission Bits Table 7: Permission Bits for Login Classes 6 Table 7: Permission Bits for Login Classes (continued) Denying or Allowing Individual Commands Template Accounts Managing User Authentication with Quick Configuration Adding a RADIUS Server for Authentication Adding a TACACS+ Server for Authentication Configuring System Authentication Adding New Users Managing User Authentication with a Configuration Editor Setting Up RADIUS Authentication Setting Up TACACS+ Authentication Page Configuring Authentication Order Controlling User Access Defining Login Classes Creating User Accounts To create user accounts: Setting Up Template Accounts 18 Creating a Remote Template Account Creating a Local Template Account Recovering the Root Password Page Securing the Console Port 1. 2. 3. 4. 1. Accessing Remote Devices with the CLI Using the telnet Command You can use the CLI telnet command to open a Telnet session to a remote device: 24 Table 19: CLI telnet Command Options Using the ssh Command Table 20: CLI ssh Command Options Configuring Password Retry Limits for Telnet and SSH Access Table 21: Configuring Password Retry Limits for Telnet and SSH Access 2. 3. 5. 4. 3. Page Chapter 2 Setting Up USB Modems for Remote Management USB Modem Terms USB Modem Overview USB Modem Interfaces How a Services Router Initializes USB Modems USB Modem Connection and Configuration Overview Connecting the USB Modem to the Services Router's USB Port Configuring USB Modem Interfaces with a Configuration Editor Configuring a USB Modem Interface (Required) 1. Navigate to the top of the interfaces configuration hierarchy in either the J-Web or CLI configuration editor. 2. 1. 2. 1. Configuring a Dialer Interface (Required) or CLI configuration editor. Configuring Dial-In (Required) USB Modem Configuration on page 42. Table 27: Configuring the Dialer Interface for Dial-In 2. 3. 3. Configuring CHAP on Dialer Interfaces (Optional) Configuration on page 42. 38 Connecting to the Services Router from the User End Configuring a Dial-Up Modem Connection at the User End Connecting to the Services Router from the User End Administering USB Modems Modifying USB Modem Initialization Commands Table 29: Modifying USB Modem Initialization Commands (continued) 1. 2. Resetting USB Modems 1. Enter operational mode in the CLI. 2. To reset the USB modem, enter the following command: Verifying the USB Modem Configuration To verify a USB modem configuration, perform the following tasks: 42 Verifying a USB Modem Interface Chapter 2: Setting Up USB Modems for Remote Management Purpose Verify that the USB modem interface is correctly configured and display the status of the modem. Action From the CLI, enter the show interfaces extensive command. Verifying Dialer Interface Configuration Meaning The output shows a summary of dialer interface information. Verify the following Chapter 2: Setting Up USB Modems for Remote Management information: Verifying Dialer Interface Configuration 45 Page Chapter 3 Configuring SNMP for Network Management SNMP Architecture Management Information Base SNMP Communities SNMP Traps Spoofing SNMP Traps SNMP Health Monitor Configuring SNMP with Quick Configuration SNMP, click Apply. click OK. click Cancel. Table 30: SNMP Quick Configuration Summary (continued) 1. 52 Table 30: SNMP Quick Configuration Summary (continued) Configuring SNMP with a Configuration Editor Defining System Identification Information (Required) Configuring SNMP Agents and Communities (Required) Table 33: Configuring SNMP Agents and Communities 2. 1. 2. 1. Managing SNMP Trap Groups (Required) 2. To configure SNMP trap groups, perform the configuration tasks described in Table 34 on page 57. 56 Controlling Access to MIBs (Optional) Table 35 on page 58. Table 35: Configuring SNMP Views 1. 2. Verifying the SNMP Configuration To verify the SNMP configuration, perform the following verification task. Verifying SNMP Agent Configuration Purpose Verify that SNMP is running and that requests and traps are being properly transmitted. Verifying SNMP Health Monitor Configuration Meaning The output shows a summary of SNMP health monitor alarms and corresponding log entries: limit. 60 Page Page Chapter 4 Configuring the Router as a DHCP Server DHCP Terms Table 36: DHCP Terms DHCP Overview 64 DHCP Options Compatibility with Autoinstallation Conflict Detection and Resolution Interface Restrictions Configuring the DHCP Server with Quick Configuration Page Page Page 3. Enter information into the DHCP Quick Configuration pages, as described in Table 37 on page 70. 4. Click one of the following buttons on the DHCP Quick Configuration page: OK. Cancel. 5. Go on to one of the following procedures: Table 37: DHCP Server Quick Configuration Pages Summary (continued) Configuring the DHCP Server with a Configuration Editor Table 38: Sample DHCP Server Configuration Settings (continued) To configure the Services Router as a DHCP server for a subnet and a single client: Configuration on page 75. 74 Table 39: Configuring the DHCP Server (continued) 1. 2. 1. 2. 3. Verifying a DHCP Server Configuration To verify a DHCP server configuration, perform the following tasks: Displaying a DHCP Server Configuration Purpose Verify the configuration of a DHCP server. Action From the J-Web interface, select Verifying the DHCP Binding Database Verifying DHCP Server Operation Page Displaying DHCP Statistics Page Chapter 5 Configuring Autoinstallation Autoinstallation Terms Autoinstallation Overview Supported Autoinstallation Interfaces and Protocols Typical Autoinstallation Process on a New Services Router Page Configuring Autoinstallation with a Configuration Editor Table 42: Configuring Autoinstallation 2. 1. 2. Verifying Autoinstallation To verify that a Services Router is configured for autoinstallation, perform the following task. Verifying Autoinstallation Status Purpose Display the status of the autoinstallation feature on a Services Router. 86 displayed are correct for the Services Router when it is deployed on the network. Verifying Autoinstallation Status 87 Page Chapter 6 Automating Network Operations and Troubleshooting Defining and Enforcing Configuration Rules with Commit Scripts Commit Script Overview Enabling Commit Scripts Disabling Commit Scripts Automating Network Management and Troubleshooting with Operation Scripts Operation Script Overview Enabling Operation Scripts Executing Operation Scripts Disabling Operation Scripts Running Self-Diagnostics with Event Policies Event Policy Overview Configuring Event Policies Table 45: Configuring Event Policies 2. 4. 96 Page Page Part 2 Monitoring a Services Router Page Chapter 7 Monitoring the Router and Routing Operations Monitoring Terms Monitoring Overview Monitoring Tools Overview Page 104 Filtering Command Output Page Using the Monitoring Tools Monitoring System Properties 108 Page Monitoring System Process Information show system processes commands. Table 49 on page 110 summarizes the output fields in the system process information Table 49: Summary of System Process Information Output Fields 110 Monitoring the Chassis Table 50: Summary of Key Chassis Output Fields (continued) 112 Table 50: Summary of Key Chassis Output Fields (continued) Monitoring the Interfaces Table 51 on page 114 summarizes key output fields in interfaces displays. Table 51: Summary of Key Interfaces Output Fields 114 Table 51: Summary of Key Interfaces Output Fields (continued) Monitoring Routing Information The J-Web interface provides information about routing tables and routing protocols. Monitoring Route Information Table 52 on page 116 summarizes key output fields in the routing information display. Table 52: Summary of Key Routing Information Output Fields 116 Table 52: Summary of Key Routing Information Output Fields (continued) Monitoring BGP Routing Information Table 53 on page 117 summarizes key output fields in the BGP routing display. Table 53: Summary of Key BGP Routing Output Fields Table 53: Summary of Key BGP Routing Output Fields (continued) 118 Table 53: Summary of Key BGP Routing Output Fields (continued) Monitoring OSPF Routing Information Table 54 on page 119 summarizes key output fields in the OSPF routing display. Table 54: Summary of Key OSPF Routing Output Fields Table 54: Summary of Key OSPF Routing Output Fields (continued) Monitoring RIP Routing Information Table 55 on page 120 summarizes key output fields in the RIP routing display. Table 55: Summary of Key RIP Routing Output Fields 120 Table 55: Summary of Key RIP Routing Output Fields (continued) Monitoring DLSw Routing Information Table 56 on page 121 summarizes key routing information output fields in the DLSw routing display. Table 56: Summary of Key DLSw Routing Information Output Fields Table 56: Summary of Key DLSw Routing Information Output Fields (continued) 122 Monitoring Class-of-Service Performance Monitoring CoS Interfaces Table 57: Summary of Key CoS Interfaces Output Fields Monitoring CoS Classifiers show class-of-service classifier Table 58 on page 124 summarizes key output fields for CoS classifiers. Table 58: Summary of Key CoS Classifier Output Fields 124 Monitoring CoS Value Aliases show class-of-service code-point-aliases Table 59 on page 126 summarizes key output fields for CoS value aliases. Table 59: Summary of Key CoS Value Alias Output Fields Monitoring CoS RED Drop Profiles show class-of-service drop-profile Table 60 on page 126 summarizes key output fields for CoS RED drop profiles. Table 60: Summary of Key CoS RED Drop Profile Output Fields 126 Monitoring CoS Forwarding Classes show class-of-service forwarding-class Table 61 on page 128 summarizes key output fields for CoS forwarding classes. Table 61: Summary of Key CoS Forwarding Class Output Fields Monitoring CoS Rewrite Rules show class-of-service rewrite-rules Table 62 on page 128 summarizes key output fields for CoS rewrite rules. Table 62: Summary of Key CoS Rewrite Rules Output Fields 128 Monitoring CoS Scheduler Maps show class-of-service scheduler-map Table 63 on page 129 summarizes key output fields for CoS scheduler maps. Table 63: Summary of Key CoS Scheduler Maps Output Fields Table 63: Summary of Key CoS Scheduler Maps Output Fields (continued) Monitoring MPLS Traffic Engineering Information 130 Monitoring MPLS Interfaces Monitoring MPLS LSP Information Table 65: Summary of Key MPLS LSP Information Output Fields (continued) Monitoring MPLS LSP Statistics show mpls lsp statistics 132 Table 66: Summary of Key MPLS LSP Statistics Output Fields Monitoring RSVP Session Information show rsvp session Table 67 on page 133 summarizes key output fields in the RSVP session information Table 67: Summary of Key RSVP Session Information Output Fields Table 67: Summary of Key RSVP Session Information Output Fields (continued) Monitoring MPLS RSVP Interfaces Information show rsvp interface Table 68 on page 134 summarizes key output fields in the RSVP interfaces information Table 68: Summary of Key RSVP Interfaces Information Output Fields 134 Monitoring Service Sets Table 69: Summary of Key Service Set Output Fields Monitoring Firewalls 136 Monitoring Stateful Firewall Statistics services stateful-firewall statistics. Table 70 on page 137 summarizes key output fields for stateful firewall filter statistics. Table 70: Summary of Key Stateful Firewall Statistics Output Fields Table 70: Summary of Key Stateful Firewall Statistics Output Fields (continued) Monitoring Stateful Firewall Filters Table 71 on page 138 summarizes key output fields for stateful firewall filters. Table 71: Summary of Key Stateful Firewall Filters Output Fields 138 Monitoring Firewall Intrusion Detection Services (IDS) Table 73 on page 140 summarizes key output fields for stateful firewall filter intrusion detection. Table 73: Summary of Key Firewall IDS Output Fields Monitoring IPSec Tunnels Table 74 on page 140 summarizes key output fields in IPSec displays. Table 74: Summary of Key IPSec Output Fields 140 Page Table 74: Summary of Key IPSec Output Fields (continued) Monitoring NAT Pools 142 Table 75 on page 143 summarizes key output fields in NAT displays. Monitoring DHCP In addition, you can display the globally configured DHCP settings by using the Table 76 on page 143 summarizes the output fields in DHCP displays. Table 76: Summary of DHCP Output Fields (continued) 144 Monitoring RPM Probes Table 77: Summary of Key RPM Output Fields (continued) 146 Table 77: Summary of Key RPM Output Fields (continued) Monitoring PPP Monitoring PPPoE Page 150 Monitoring the TGM550 Media Gateway (VoIP) Table 79 on page 152 summarizes key output fields in media gateway information displays. Table 79: Summary of Key Media Gateway Information Output Fields 152 Page Page Chapter 8 Monitoring Events and Managing System Log Files System Log Message Terms Table 80: System Log Message Terms (continued) System Log Messages Overview protocol adjacency or a user login into the configuration database unexpected closure of a connection to a child or peer process temperature 156 System Log Message Destinations System Log Facilities and Severity Levels Regular Expressions Table 83: Common Regular Expression Operators and the Terms They Match Before you begin configuring and monitoring system log messages, complete the following tasks: Access Configuration Guide. Configuring System Log Messages with a Configuration Editor Sending System Log Messages to a File Sending System Log Messages to a User Terminal Archiving System Logs Disabling System Logs Monitoring System Log Messages with the J-Web Event Viewer Filtering System Log Messages Table 86: Filtering System Log Messages (continued) Viewing System Log Messages Table 87: Viewing System Log Messages 164 Chapter 9 Configuring and Monitoring Alarms Alarm Terms Alarm Overview Alarm Types Alarm Severity Alarm Conditions Interface Alarm Conditions Table 89: Interface Alarm Conditions 168 Page Table 89: Interface Alarm Conditions (continued) Chassis Alarm Conditions and Corrective Actions 170 Table 90: Chassis Alarm Conditions and Corrective Actions System Alarm Conditions and Corrective Actions Configuring Alarms with a Configuration Editor Page Table 92: Configuring Interface Alarms (continued) 1. 2. 3. Checking Active Alarms Figure 13: J-Web View Alarms Summary Page ERROR: Unresolved graphic fileref="s020252.gif" not found in Table 93 on page 174 summarizes the output fields on the alarms page. Table 93: Summary of Key Alarm Output Fields Verifying the Alarms Configuration To verify alarms configuration, perform the following task. Displaying Alarm Configurations Purpose Verify the configuration of the alarms. Action From the J-Web interface, select [edit] user@host# show chassis alarms t3 { Page Page Page Chapter 10 Performing Software Upgrades and Reboots Upgrade and Downgrade Overview Upgrade Software Packages Recovery Software Packages Downloading Software Upgrades from Juniper Networks Installing Software Upgrades with the J-Web Interface Installing Software Upgrades from a Remote Server Table 95: Install Remote Summary Installing Software Upgrades by Uploading Files Figure 15: Upload Package Page ERROR: Unresolved graphic fileref="s020260.gif" not found in To install software upgrades by uploading files: 1. Download the software package as described in Downloading Software Upgrades Installing Software Upgrades with the CLI Downgrading the Software Downgrading the Software with the J-Web Interface Downgrading the Software with the CLI Configuring Boot Devices Configuring a Boot Device for Backup with the J-Web Interface Figure 16 on page 187 shows the Snapshot page. Figure 16: Snapshot Page ERROR: Unresolved graphic fileref="s020261.gif" not found in To create a boot device: Table 97 on page 187. 188 Configuring a Boot Device for Backup with the CLI Table 98: CLI request system snapshot Command Options Configuring a Boot Device to Receive Software Failure Memory Snapshots Recovering Primary Boot Devices Why Compact Flash Recovery Might Be Necessary Recommended Recovery Hardware and Software Table 100: Recommended Recovery Hardware and Software Configuring Internal Compact Flash Recovery 192 Page Rebooting or Halting a Services Router Rebooting or Halting a Services Router with the J-Web Interface Rebooting a Services Router with the CLI Table 101: CLI Request System Reboot Command Options (continued) Halting a Services Router with the CLI You can use the request system halt CLI command to halt the Services Router: Table 102: CLI Request System Halt Command Options 196 Table 102: CLI Request System Halt Command Options (continued) Page Chapter 11 Managing Files Managing Files with the J-Web Interface Cleaning Up Files Downloading Files Deleting the Backup Software Image Cleaning Up Files with the CLI Managing Accounting Files Encrypting and Decrypting Configuration Files Encrypting Configuration Files Decrypting Configuration Files Modifying the Encryption Key Page Page Page Chapter 12 Using Services Router Diagnostic Tools Diagnostic Terms Diagnostic Tools Overview J-Web Diagnostic Tools Overview CLI Diagnostic Commands Overview Table 106: CLI Diagnostic Command Summary 212 MPLS Connection Checking Table 107: Options for Checking MPLS Connections (continued) 214 General Preparation Ping MPLS Preparation MPLS Enabled Loopback Address Source Address for Probes Pinging Hosts from the J-Web Interface Using the J-Web Ping Host Tool Table 108: J-Web Ping Host Field Summary (continued) Figure 21: Ping Host Results Page ERROR: Unresolved graphic fileref="s020254.gif" not found in Ping Host Results and Output Summary Checking MPLS Connections from the J-Web Interface Using the J-Web Ping MPLS Tool 220 Page Ping MPLS Results and Output Table 111: J-Web Ping MPLS Results and Output Summary 222 Tracing Unicast Routes from the J-Web Interface Using the J-Web Traceroute Tool 5. To stop the traceroute operation before it is complete, click OK while the results of the traceroute operation are being displayed. Figure 23: Traceroute Page ERROR: Unresolved graphic fileref="s020256.gif" not found in Table 112: Traceroute Field Summary 224 Traceroute Results and Output Summary Capturing and Viewing Packets with the J-Web Interface Using J-Web Packet Capture Figure 24: Packet Capture Page ERROR: Unresolved graphic fileref="s020267.gif" not found in Table 114: Packet Capture Field Summary 1. 2. 3. 4. 1. 2. Table 114: Packet Capture Field Summary (continued) 228 Table 114: Packet Capture Field Summary (continued) Packet Capture Results and Output Summary Figure 25: Packet Capture Results Page ERROR: Unresolved graphic fileref="s020268.gif" not found in Table 115: J-Web Packet Capture Results and Output Summary Using CLI Diagnostic Commands Pinging Hosts from the CLI Table 116: CLI ping Command Options (continued) Checking MPLS Connections from the CLI Pinging RSVP-Signaled LSPs and LDP-Signaled LSPs Pinging Layer 3 VPNs Pinging Layer 2 VPNs Table 119: CLI ping mpls l2vpn Command Options Following is sample output from a ping mpls l2vpn command: Pinging Layer 2 Circuits Tracing Unicast Routes from the CLI Using the traceroute Command Table 121: CLI traceroute Command Options (continued) Following is sample output from a traceroute command: Using the traceroute monitor Command 238 To quit the traceroute monitor command, press Q. Table 122: CLI traceroute monitor Command Options Following is sample output from a traceroute monitor command: Table 123 on page 240 summarizes the output fields of the display. Table 123: CLI traceroute monitor Command Output Summary Tracing Multicast Routes from the CLI Use CLI mtrace commands to trace information about multicast paths. The from-source command displays information about a multicast path from a source to 240 Using the mtrace from-source Command Table 124: CLI mtrace from-source Command Options Table 124: CLI mtrace from-source Command Options (continued) DescriptionOption (Optional) Forces the responses to use multicast. multicast-response Following is sample output from the mtrace from-source command: 242 Table 125: CLI mtrace from-source Command Output Summary Using the mtrace monitor Command To monitor and display multicast trace operations, enter the mtrace monitor command: Displaying Log and Trace Files from the CLI Monitoring Interfaces and Traffic from the CLI Using the monitor interface Command Table 128: CLI monitor interface traffic Output Control Keys (continued) ActionKey Displays the Delta column instead of the rate columnin bps or packets per second (pps). r Using the monitor traffic Command 246 Table 129: CLI monitor traffic Command Options Page Page Table 130: CLI monitor traffic Match Conditions (continued) Table 131: CLI monitor traffic Logical Operators Table 132: CLI monitor traffic Arithmetic, Binary, and Relational Operators 250 Table 132: CLI monitor traffic Arithmetic, Binary, and Relational Operators (continued) DescriptionOperator A match occurs if the first expression is not equal to the second. Following is sample output from the monitor traffic command: Page Chapter 13 Configuring Packet Capture Packet Capture Terms Table 133: Packet Capture Terms 1. 2. Packet Capture Overview Packet capture is used by network administrators and security engineers for the following purposes: 254 Packet Capture on Router Interfaces Firewall Filters for Packet Capture Packet Capture Files Analysis of Packet Capture Files Configuring Packet Capture with a Configuration Editor Enabling Packet Capture (Required) Table 134: Enabling Packet Capture 2. 3. 258 Configuring Packet Capture on an Interface (Required) Capture (Optional) on page 259. Configuring a Firewall Filter for Packet Capture (Optional) To configure a firewall filter and apply it to the logical interface: 260 Disabling Packet Capture Deleting Packet Capture Files Changing Encapsulation on Interfaces with Packet Capture Configured Verifying Packet Capture Displaying a Packet Capture Configuration Displaying a Firewall Filter for Packet Capture Configuration Verifying Captured Packets that supports libpcap format. Page Chapter 14 Configuring RPM Probes RPM Terms RPM Overview RPM Probes RPM Tests Probe and Test Intervals Jitter Measurement with Hardware Timestamping RPM Statistics Table 139: RPM Statistics 270 RPM Thresholds and Traps RPM for BGP Monitoring Configuring RPM with Quick Configuration Page Page 274 Page Configuring RPM with a Configuration Editor Configuring Basic RPM Probes Probes on page 279. 278 Configuring TCP and UDP Probes Page Page Tuning RPM Probes 282 Configuring RPM Probes to Monitor BGP Neighbors Configuring RPM Probes for BGP Monitoring Table 144: Configuring RPM Probes to Monitor BGP Neighbors 2. 4. 284 Directing RPM Probes to Select BGP Routers Verifying an RPM Configuration Verifying RPM Services Meaning The output shows the values that are configured for RPM on the Services Router. Verifying RPM Statistics Purpose Verify that the RPM probes are functioning and that the RPM statistics are within expected values. Page Verifying RPM Probe Servers Page Page Index Symbols A B C 292 Page D 294 E F G H 296 I J K L M 298 Page N O 300 P Q R 302 Page S 304 Page 306 T U 308 V W X Y 310