Solved: Re: Radius Attributes for Privilege Level in SRX

viks_ · ‎06-02-2011

What Radius attributes are used for pushing the privilege levels in SRX platform

TravisJohnson_ · ‎12-27-2011

You can get very granular with these, limiting certain commands to certain interfaces or just to config sections / op commands

http://www.juniper.net/techpubs/en_US/junos11.1/topics/concept/authenticati
on-regular-expressions-usage-allow-deny-command-overview.html?searchid=1324
588522904

Also looking in the device help is a good place. System > Login > Class > [class name] > Permissions ?

[ Open a set of values
access Can view access configuration
access-control Can modify access configuration
admin Can view user accounts
admin-control Can modify user accounts
all All permission bits turned on
clear Can clear learned network info
configure Can enter configuration mode
control Can modify any config
field Can use field debug commands
firewall Can view firewall configuration
firewall-control Can modify firewall configuration
floppy Can read and write the floppy
flow-tap Can view flow-tap configuration
flow-tap-control Can modify flow-tap configuration
flow-tap-operation Can tap flows
idp-profiler-operation Can Profiler data
interface Can view interface configuration
interface-control Can modify interface configuration
maintenance Can become the super-user
network Can access the network
pgcp-session-mirroring Can view pgcp session mirroring configuration
pgcp-session-mirroring-control Can modify pgcp session mirroring configuration
reset Can reset/restart interfaces and daemons
rollback Can rollback to previous configurations
routing Can view routing configuration
routing-control Can modify routing configuration
secret Can view secret statements
secret-control Can modify secret statements
security Can view security configuration
security-control Can modify security configuration
shell Can start a local shell
snmp Can view SNMP configuration
snmp-control Can modify SNMP configuration
system Can view system configuration
system-control Can modify system configuration
trace Can view trace file settings
trace-control Can modify trace file settings
view Can view current values and statistics
view-configuration Can view all configuration (not including secrets)

View solution in original post

jcanchola_ · ‎06-02-2011

If you are talking about administrative permission levels you will want to use the following attributes.

The values are defined by the SRX config.

ATTRIBUTE Juniper-Local-User-Name               Juniper-VSA(1,  string)  r ATTRIBUTE Juniper-Allow-Commands                Juniper-VSA(2,  string)  r ATTRIBUTE Juniper-Deny-Commands                 Juniper-VSA(3,  string)  r ATTRIBUTE Juniper-Allow-Configuration           Juniper-VSA(4,  string)  r ATTRIBUTE Juniper-Deny-Configuration            Juniper-VSA(5,  string)  r  ATTRIBUTE Juniper-Interactive-Command           Juniper-VSA(8,  string)  r ATTRIBUTE Juniper-Configuration-Change          Juniper-VSA(9,  string)  r ATTRIBUTE Juniper-User-Permissions              Juniper-VSA(10, string)  r

viks_a_ · ‎06-02-2011

is there a doc that explains each of these attributes and what exactly do they achiev

TravisJohnson_ · ‎12-27-2011

You can get very granular with these, limiting certain commands to certain interfaces or just to config sections / op commands

http://www.juniper.net/techpubs/en_US/junos11.1/topics/concept/authenticati
on-regular-expressions-usage-allow-deny-command-overview.html?searchid=1324
588522904

Also looking in the device help is a good place. System > Login > Class > [class name] > Permissions ?

[ Open a set of values
access Can view access configuration
access-control Can modify access configuration
admin Can view user accounts
admin-control Can modify user accounts
all All permission bits turned on
clear Can clear learned network info
configure Can enter configuration mode
control Can modify any config
field Can use field debug commands
firewall Can view firewall configuration
firewall-control Can modify firewall configuration
floppy Can read and write the floppy
flow-tap Can view flow-tap configuration
flow-tap-control Can modify flow-tap configuration
flow-tap-operation Can tap flows
idp-profiler-operation Can Profiler data
interface Can view interface configuration
interface-control Can modify interface configuration
maintenance Can become the super-user
network Can access the network
pgcp-session-mirroring Can view pgcp session mirroring configuration
pgcp-session-mirroring-control Can modify pgcp session mirroring configuration
reset Can reset/restart interfaces and daemons
rollback Can rollback to previous configurations
routing Can view routing configuration
routing-control Can modify routing configuration
secret Can view secret statements
secret-control Can modify secret statements
security Can view security configuration
security-control Can modify security configuration
shell Can start a local shell
snmp Can view SNMP configuration
snmp-control Can modify SNMP configuration
system Can view system configuration
system-control Can modify system configuration
trace Can view trace file settings
trace-control Can modify trace file settings
view Can view current values and statistics
view-configuration Can view all configuration (not including secrets)