Login Classes

Junos Login Classes define user access privileges, permissions for using CLI commands and statements.

1. Login Classes

Junos OS includes predefined login classes that can’t be modified:

Login Class	Permission Flag Set
super-user	all
operator	clear, network, reset, trace, and view
read-only	view
unauthorized	none

Additionally, we define any number of login classes. However, we can only assign one login class to an individual user account.

How it looks at the CLI:

root@r1# set system login class ?                            
Possible completions:
  <class-name>         Login class name

root@r1# set system login user noc class ?       
Possible completions:
  <class>              Login class
  operator             permissions [ clear network reset trace view ]
  read-only            permissions [ view ]
  super-user           permissions [ all ]
  unauthorized         permissions [ none ]

2. Permissions

There is a wide range of permissions that can be assigned to classes, we can view all of them in the official documentation Login Classes Overview.

Here we will list only the permissions that are included in the predefined classes:

Permission Flag	Description
all	Can access all operational mode commands and configuration mode commands. Can modify the configuration in all the configuration hierarchy levels.
clear	Can clear (delete) information that the device learns from the network and stores in various network databases (using the clear commands).
network	Can access the network by using the ping, ssh, telnet, and traceroute commands.
reset	Can restart software processes by using the restart command.
trace	Can view trace file settings.
view	Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration.

How it looks at the CLI:

root@r1# set system login class test-class permissions ?
Possible completions:
  [                    Open a set of values
  access               Can view access configuration
  access-control       Can modify access configuration
  admin                Can view user accounts
  admin-control        Can modify user accounts
  all                  All permission bits turned on
  clear                Can clear learned network info
  configure            Can enter configuration mode
  control              Can modify any config
  field                Can use field debug commands
  firewall             Can view firewall configuration
  firewall-control     Can modify firewall configuration
  floppy               Can read and write the floppy
  flow-tap             Can view flow-tap configuration
  flow-tap-control     Can modify flow-tap configuration
  flow-tap-operation   Can tap flows
  idp-profiler-operation  Can Profiler data
  interface            Can view interface configuration
  interface-control    Can modify interface configuration
  maintenance          Can become the super-user
  network              Can access the network
  pgcp-session-mirroring  Can view pgcp session mirroring configuration
  pgcp-session-mirroring-control  Can modify pgcp session mirroring configuration
  reset                Can reset/restart interfaces and daemons
  rollback             Can rollback to previous configurations
  routing              Can view routing configuration
  routing-control      Can modify routing configuration
  secret               Can view secret statements
  secret-control       Can modify secret statements
  security             Can view security configuration
  security-control     Can modify security configuration
  shell                Can start a local shell
  snmp                 Can view SNMP configuration
  snmp-control         Can modify SNMP configuration
  storage              Can view fibre channel storage protocol configuration
  storage-control      Can modify fibre channel storage protocol configuration
  system               Can view system configuration
  system-control       Can modify system configuration
  trace                Can view trace file settings
  trace-control        Can modify trace file settings
  unified-edge         Can view unified edge configuration
  unified-edge-control  Can modify unified edge configuration
  view                 Can view current values and statistics
  view-configuration   Can view all configuration (not including secrets)

We can display the permissions for the current user with the command bellow, this can be useful during configuration or troubleshooting.

show cli authorization

3. Login Classes Configuration

We will configure user ‘noc’ with ‘view’ and ‘view-configuration’ permissions. But, we also want to allow a couple additional commands, and also deny a few other commands as follows:

### Commit the following config: 

set system login class noc-class idle-timeout 10
set system login class noc-class permissions view   
set system login class noc-class permissions view-configuration 
set system login class noc-class allow-commands "(ssh)|(ping)"
set system login class noc-class deny-commands "(request)|(start)|(set cli idle-timeout)"    
set system login user noc class noc-class
set system login user noc authentication plain-text-password 
New password:
Retype new password:

### Exist to shell:

root@r1> exit 

### Using the 'su' shell command, change user to 'noc':

root@r1:~ # su noc
### Now with user 'noc', we can't use the idle-timeout command: 

root@r1> set cli idle-timeout  
                 ^
syntax error, expecting <command>.
root@r1> set cli idle-timeout 
### 'The idle-timeout' knob is missing from the list, because we listed that command under deny-commands:

root@r1> set cli ?      
Possible completions:
  <[Enter]>            Execute this command
  authorization        Show authorization and authentication information
  commands             Show list of commands by impact level
  directory            Show current working directory
  history              Show list of previous commands
  |                    Pipe through a command
### We can check the authorization for the 'noc' user (notice current user): 

root@r1> show cli authorization 
Current user: 'noc' login: 'root' class 'noc-class'
Permissions:
    view        -- Can view current values and statistics
    view-configuration-- Can view all configuration (not including secrets)
Individual command authorization:
    Allow regular expression: (ssh)|(ping)
    Deny regular expression: (request)|(start)|(set cli idle-timeout)
    Allow configuration regular expression: none
    Deny configuration regular expression: none

### Finnaly let's try to configure the router. 
### Not allowed, because we have only view and view-configuration permissions: 
root@r2> configure

unknown command.

root@r1> 

4. Remote Local Template

By default, RADIUS (or TACACS) authenticated users use the remote user template and get the class assigned, which is specified in the remote user template, if the remote user template is configured.

In the Junos configuration, a user template is configured in the same way as a regular local user account; except that no local authentication (password) is configured. This is due to the authentication being remotely performed on the RADIUS server.

set system login user remote class read-only

Find next is a configuration example, where all RADIUS/TACACS+ users will get assigned the full-access class. This is happening because we are using the remote user template (notice there is no local authentication (password) configured:

set system login class full-access idle-timeout 10
set system login class full-access permissions all
set system login user remote full-name "TACACS/Radius authenticated user with full access"
set system login user remote class full-access

For the full login flow please check the following diagram or check the Remote Local Template on YouTube.

---

External Resources:

• Login Classes Overview
• User Authentication Overview
• KB21685
• JNCIE Primer CH1 Predefined login classes (new)
• JNCIE Primer SL2 Init 1 – YouTube
• JNCIE CH1 Radius Remote Local Template – YouTube