41. User Accounts
Let’s now talk about user accounts, user accounts provide a way for users to access the Junos device. When you create a user account on a journalist device, a home directory gets assigned to the user. The path for which is/V.A./home,/the user name of the device. Normally, when you’re creating a user account, the user account is being created locally on the Junos device. However, it does not always have to be that way. Users can access the device without accounts on the local Junos device. If radians or TAC X plus servers have been configured. If this is the first time you’re coming across these terms, radius and tack X plus are centralized user management services so user accounts can be locally configured on the Junos device. They can also be created on centralized user management services like radius or TAC X plus. When you define a user account on a Junos device, we can provide this information. So the first thing is user name, which is a unique string. It can be up to 64 characters in length without spaces, Collins or commas. Next, we can provide a user identifier.
This is a numeric identifier associated with the user name. You can provide this manually or when you commit the configuration, Junos will automatically generate a user identifier for the user optionally. We can also provide a full name. We must associate every user with a log in class and we must also provide an authentication method. Let’s understand how to create a user account from the Junos terminal. All right, I’m here at the Junos terminal. I’ll first enter the configuration mode and I’ll navigate to the edit system log in configuration hierarchy. This is where we can configure the user from. So let’s start with set space question mark. And here we have the key word called user. And here we can define the user name. I can see there’s an existing user over here. So let’s provide a new user name. Let’s call this guy as Admon. Then we need to provide a log in class. The keyword is class. And I’m going to assign the super user class to this person next week and provide a user identifier. If we wanted to, it’s not mandatory. If you do not provide a user I.D., Junos will automatically generate one for you when you commit. You can provide a full name if you wanted to.
And here’s the keyword to set the authentication method. So I’ll say authentication question mark. And here we have different options for authentication. Plain text password is one of the most commonly used methods. So if I did plain text password and I pressed enter, I would have to provide a password for that user. If we want to provide an encrypted password string, you can use this option over here called encrypted password string. Make sure that the password has already been encrypted before you use that option. If you want to load a key file that’s containing SS Sege Keys generated using the SSH Key Gen Command, then you can use this option here. Load key file if you want to completely disable SSH public key based authentication. You can say no public keys or if you want to provide an SS age public keys string generator using one of these protocols here or one of these algorithms here, RSA, SDLC and eighty two five five one nine. Then you can use any of these options over here. Right now I’m going to do plain text, password and press enter and I’ll provide a password here and that’s configured. So if I do a show here, you can see here’s the user we configured user Radman. He has a class and the authentication is set to encrypted password. And that’s because Junos will automatically encrypt your passwords. So even though we configured it as plain text password, when Junos saves the password, it encrypts it automatically.
One difference you will notice over here is that this user does not have a user I.D. while this one has. And the reason is when you commit the configuration, it will automatically generate a user I.D. for you. So I’m going to say top commit, by the way. Here’s a tip for you. If you want to perform a command that can be executed from the top of the configuration hierarchy. You can prefix that with top. So like this here, I’m saying tup commit. So this is like doing commit from the top of the configuration hierarchy. Top comment, press enter. And if I do show now, I can see that this user also has a user I.D. So let’s try to log in. Could exit out from here. And let’s do a Sensage Admon at the IP address of the device. Enter the password. And I’m logged into the device, so that’s how we can configure a user account. And important to keep in mind, user accounts do not have to be configured on the Junos device only. They can also be configured on centralized user management services like radius and tack hacks plus.
42. Authentication methods
Let’s talk about Junos authentication methods. We’ll understand the different ways in which a user can authenticate into a Junos device. So Juno supports three authentication methods. The first one is local password authentication, where the user name and password of a user is configured locally on the Junos device. The other two methods, radius and tack X plus they are remote, centralized user management services. So we’ve got radius, which stands for remote authentication, dial and user service. And then we have TAC X Plus, which stands for Terminal Access Controller Access Control System. Plus with local password authentication, the user name and password of the user is configured on the Junos device. If you’re a small organization or let’s say if you have small number of devices to manage, this is usually not a problem. Every time you need to create a user, you configure them locally on every Junos device.
But imagine if you’re an organization having hundreds of Junos devices that can quickly become a problem, because every time you need to add a user, you would have to update that on every Junos device. Every time you want to revoke the access or every time you want to delete the user account, you would have to delete it from every Junos device. Instead, what we can do is set up a server which acts as a central user management service and forward all authentication requests from the Junos device to the central user management system. That is what radius and tac x plus are radius and tag X plus are distributed client and server systems. When we configured this, the Junos device will act as a client. So it will make authentication request to the radius server or to the tac x plus server. So radius and tac x plus are configured on a server and the Junos device acts as a client and makes a request to these devices. The Junos device can be configured to act as both a radius and attack X plus client. What that means is on the same Junos device, we can use both radius and tack X plus for authenticating users.
So here’s how it works. We have a user. We have a Junos device and we have a server which is configured as radius or tac X plus, when the user tries to authenticate, the user will authenticate normally where he’ll try to send a request to a Junos device. The Junos device will forward the request to the configured radius or tack X plus server. There’s a couple of things that we should keep in mind, and this is very, very important for each log attempt. Junos tries the authentication methods in order until the password is accepted. And if the previous authentication method failed to reply, or if the method rejected the logging attempt, the next method is tried. This is very, very important. So let’s look at it one more time. Every time you try to logon, Junos will try the authentication methods in the order in which they are configured until the password is accepted. And if the previous authentication method failed to reply or if the method rejected the logging attempt, the next method will be tried.
Let me show you some examples. So here’s the authentication configuration under edit system authentication order. We’ve configured radius tac x plus and password. So we are using all the three authentication methods. We have the user. We have the Junos device. We have the radius server, TAC, X plus server and the local password authentication database. When the user sends in a request, the Junos device will follow the configured order. In this case, it’s radius first. So the requests will be forced to enter the radius server. Let’s say the radius server rejected your authentication attempt. Maybe you typed in incorrect credentials. Remember, if the first method is rejected, Junos will try the next method. So even though the radius server rejected your attempt, the Junos device will then try the tack X plus server. If the TAC has X plus server also rejects you attempt, then it will try the local password authentication database. So the Junos device will try every authentication method in order until the password is accepted. And if the previous attempt is rejected, it will automatically try the next one. Let’s look at one more example. So here’s the configuration.
We’ve made a small change here under edit system authentication order. We’ve configured only radius and tack X plus we’ve removed the local password authentication. So, again, we have the user. We have the Junos device. We have the radius server, tech X plus server. And even though we’ve not used this, I still have it in the picture. Now the user sends in a request. The Junos device will start by forwarding this to the radius server. Let’s say the radius server rejects your attempt because you typed in incorrect credentials. In that case, the Junos device will forward this to the tag X plus server. Now, here’s the question, what would happen if the tac x plus server also rejected the authentication attempt? Will Junos forward this to the local authentication database? If you said no, that is the right answer. Junos will not forward this to the local authentication database because it’s not a configured authentication method. So even though these two methods rejected your attempt, since local password authentication is not configured as an authentication method, it will not be tried. Let’s look at one more situation. We have the same configuration here under edit system authentication order. We’ve configured radius and attack X plus. We do not have local password authentication. But this time the situation is different. The user sends a request to the Junos device.
The Junos device will start by forwarding this to the radius server because that is the first configured method. Now, let’s say this time the radius server is down. In the earlier example, the authentication attempt was rejected, but this time the radius server is down. In that case, Junos will try to contact the next authentication method, which is tac x plus. Now let’s see. This is also down. So the two configured authentication methods are down. Here’s the question. Will Junos try the third method? Local authentication database? If you said yes, that’s the right answer, because they configured authentication methods have not responded. So Junos will automatically fall back to the local authentication database. So these three scenarios are very important to remember from the examination perspective. The key takeaway here is that authentication can be configured locally on the device, or the Junos device can also be configured to forward the authentication attempts to a remote user management system like radius or TAC X plus.
43. Introduction to Interfaces
Let’s now talk about interfaces on a Junos device interfaces are primarily used to connect a device to a network. However, that’s not the only function interfaces are used for some interfaces are also used to provide a specific service or a specific function for the system. For example, we have interfaces that are used to provide encryption services. We also have interfaces that are used to provide tunneling services and so on. Interfaces can be physical or logical. And this is one of the first things you will notice when you start working on a Junos device. Every physical interface has a logical portion to it. The physical interface is an actual device that we can touch and a cable of some sort goes into it. While a logical interface is an entity represented in software that has a protocol and a network address assigned to it. Every physical interface will have a logical interface associated with it. Let’s not talk about the types of interfaces, primarily, we have five types of interfaces, management interfaces, internal interfaces, network interfaces, service interfaces and loopback interfaces.
Let’s start with the first one called as a management interface. And just like the name suggests, this is a dedicated interface used to connect with the Junos device for management purposes. The designation of this interface is platform specific, common designations include F XP 0 and M e 0. So here’s an example of a Junos SRX device, the port that you can see here, which is marked as M GMT. That is the dedicated management port. Make a note that this is different from the console port. So this one is purely used for management purposes. Let’s now talk about the internal interface. This is used to provide communication between the routing engine and the packet forwarding engine. This is automatically configured by the software when the device boots up again. The designation for this interface is platform specific. Common designations include F be one and E M 0. Let’s not talk about the network interface, which is the most common interface type. This is used to provide physical connections to other devices and examples include the most common one, like Ethernet Sonnett a.T.M interfaces, also known as asynchronous transfer mode interfaces. You have T1 interfaces and DSF three interfaces. Here’s an image of an S or X device.
All these interfaces that you see here are Ethernet interfaces. And these are used to connect the SRX device to the network. Let’s move on to the next one called as a service interface, service interfaces are used to provide one or more traffic manipulating services such as encapsulation, encryption, tunnelling and link services. Service interfaces may be provided to a physical interface card or through software. What that means is you may have a dedicated hardware like a card that goes into an interface slot in an SRS device that can be used to provide the service interface functionality, or sometimes it may also be provided to software. Examples of service interfaces. You have the E. S interface, which is the encryption interface. We then have G.R., which is the generic routing encapsulation or the GRV interface. Then we have the IP interface, which represents IP over IP encapsulation interface. We then have Eliscu, which is link services, queuing interface, S.T. interface, which is secure tunnel interface. You then have tap interface, which is an internally generated interface to monitor and record traffic during passive monitoring.
An important thing to keep in mind that not all of these service interfaces are configurable. Some of them are configurable, while some of them cannot be configured. They’re automatically managed by the Junos software. In a nutshell, a service interface is used to provide some specific functions or special services on the Junos device. And finally, we have the Lubeck interface. This is also a very popular interface type traffic center. The Lubeck interface is addressed to the same device. If this is the first time you’re coming across Lubeck interfaces, these are special interfaces which are used to represent the device itself. Any traffic that you throw at the Lubeck interface will come back at you because the Lubeck interface represents the device itself. The designation for this interface on the Junos device is L o 0 on all Junos platforms.
It is used to identify the device itself. And is the preferred method to determine if the device is online. One of the reasons why Lubeck interfaces are so popular is because compared to the other interfaces which can get removed or whose addresses can get changed over time or with changes in topology, the Lubeck interface never changes. It’s constant. So anytime you want to check the device status, you can simply look at the status of the loopback interface because the Lubeck interface is the device itself. It represents the device itself. A common use case for a Lubeck interface is applying firewall filters. When you apply a firewall filter on a loopback interface, you can control packets originating from or distained for the routing engine itself because the Lubeck interface represents the Junos device itself. This is one example that we’re going to configure later on in this course when we talk about firewall filters.
