Introduction to the Junos Operating System

Question: Which permission option would allow the user nancy to clear the interface statistics on the ge-0/0/0 interface?

Answer: The clear permission option would allow this behavior.

Step 1.14

Return to the original session opened to the lab user.

From the session opened to the lab user attempt to add the clear permission to the default read-only login class. Issue the show command to view the system login hierarchy.

[edit system login]

lab@srxA-1# set class read-only permissions clear

warning: 'read-only' is a predefined class name; changing to 'read-only-local'

[edit system login] lab@srxA-1# show class juniper {

permissions [ reset view view-configuration ];

}

class read-only-local { permissions clear;

}

user lab { uid 2000;

class super-user; authentication {

encrypted-password "$1$mKkMA9pa$AUZPO2UJ9rWwOfp4Kb2/a1"; ## SECRET-DATA

}

}

user nancy { uid 2003;

class read-only; authentication {

encrypted-password "$1$sg4t2qIv$E3E5PQftT//p1PiswUgfS/"; ## SECRET-DATA

}

}

user walter { uid 2004;

class juniper; authentication {

encrypted-password "$1$BH89uJ/p$eNBGRpAVxSXzOhbxjjgi90"; ## SECRET-DATA

}

}

Introduction to the Junos Operating System

Question: What happened when you added the clear permission to the read-only login class?

Answer: Because you cannot alter predefined login classes, the Junos OS created a new login class named read-only-local that is not associated with any user.

Question: How can you add the clear permission for the user nancy?

Answer: You must define a new custom login class for this functionality.

Step 1.15

Navigate to the top of the configuration hierarchy and configure a RADIUS server for use with user authentication. Refer to your management network diagram for the server address. The RADIUS secret should be Juniper. Configure the authentication order so that user login attempts use only local password authentication if the RADIUS server is unreachable. Use commit to activate the changes.

[edit system login] lab@srxA-1# top

[edit]

lab@srxA-1# set system radius-server RADIUS server secret Juniper

[edit]

lab@srxA-1# set system authentication-order radius

[edit]

lab@srxA-1# commit commit complete

[edit] lab@srxA-1#

Introduction to the Junos Operating System

Question: Must you include password in the authentication order to enable this behavior?

Answer: No. If an authentication method is unavailable because of a network or server outage, the software automatically consults the local password database.

Step 1.16

Return to the secondary Telnet session opened to you student device

From the secondary Telnet session in which the user nancy is logged in, issue the exit command to log out. Test the RADIUS server by reconnecting to the Telnet session and try to log back in as nancy.

nancy@srxA-1> exit

srxA-1 (ttyp0)

login: nancy Password:

Login incorrect login:

Question: Were you able to log in as nancy?

Answer: No. In this case, the server defined is actually reachable, and it is not configured with the nancy username.

Step 1.17

In the previous lab step, the defined RADIUS server was reachable. Because you did not define the username on the RADIUS server, the RADIUS server rejected the authentication. Therefore, the software did not consult the local password database.

Return to the original session opened to the lab user.

From the session opened to the lab user and change the IP address of the RADIUS server to 10.1.1.1. You can use the rename command for this change. Do not forget to issue commit to activate the change.

[edit]

lab@srxA-1# rename system radius-server RADIUS server to 10.1.1.1

[edit]

lab@srxA-1# commit commit complete