Privilege level for Junos OS

We use Unix authentication for authenticating to Juniper devices with Junos operating system (Junos OS).

This help will describe how to create a custom login class with the least privileges required for scanning, and then associate the scan user account with the custom login class.

Overview

Junos OS allows you to grant access or permissions to the commands and configuration hierarchy levels and statements. This enables users to execute only those commands and configure and view only those statements for which they have access privileges. You can use extended regular expressions to specify which operational mode commands, configuration statements, and hierarchies are denied or allowed for users. This prevents unauthorized users from executing or configuring sensitive commands and statements that could potentially cause damage to the network.

Junos OS uses login classes to assign permissions to groups of users. Each user must be part of a login class. You can define a custom login class with the permissions you want to grant to the scan user account.

Permissions required for scanning

The following permissions will provide the least privileges required for scanning devices with Junos OS. This set of permission flags will only allow the scan user account to view information but not modify information.

Permission flag

Description

admin

Can view user account information in configuration mode and with the show configuration operational mode command.

interface

Can view the interface configuration in configuration mode and with the show configuration operational mode command.

routing

Can view general routing, routing protocol, and routing policy configuration information in configuration and operational modes.

shell

Can start a local shell on the router or switch by using the start shell command.

snmp

Can view Simple Network Management Protocol (SNMP) configuration information in configuration and operational modes.

system

Can view system-level information in configuration and operational modes.

view

Can use various commands to display current system-wide, routing table, and protocol-specific values and statistics. Cannot view the secret configuration.

 

How to create custom login class with permissions for scan user

Follow the steps below to create a custom login class and provide permissions (least privilege) at different hierarchy levels. Then add the scan user account to this class.

1) Create custom login class. In this example, the new custom class is "mytestclass". Here's an example:

[edit system login]

root@pcavmx14# edit class mytestclass ?

Possible completions:

  <[Enter]>            Execute this command

  |                    Pipe through a command

 

2) Go to the new custom login class. Here's an example:  

[edit system login class mytestclass]

root@pcavmx14# set permissions ?

Possible completions:

  [                    Open a set of values

  access               Can view access configuration

  access-control       Can modify access configuration

  admin                Can view user accounts

  admin-control        Can modify user accounts

  all                  All permission bits turned on

  clear                Can clear learned network info

  configure            Can enter configuration mode

  control              Can modify any config

  field                Can use field debug commands

  firewall             Can view firewall configuration

  firewall-control     Can modify firewall configuration

  floppy               Can read and write the floppy

  flow-tap             Can view flow-tap configuration

  flow-tap-control     Can modify flow-tap configuration

 

3) Use the following command to assign required permissions to the custom login class. You can give multiple permission flags in one command, or use separate commands.

[edit system login class mytestclass]

root@comvmx14# set permissions interface permissions system permissions snmp permissions routing permissions view permissions shell permissions admin

 

4) Create scan user account and associate it with the custom login class. In the following example, we'll associate the user "scanuser" with the custom class "mytestclass". Note that we've given only read permissions with different permission flags to this class/user. This means the user will not be able to modify information.

[edit system login]

root@comvmx14# set user scanuser class mytestclass