When we were working with the users in the previous lesson, we saw that to create a new user we always require to provide is a class so we can save the configuration, otherwise the commit command will give us an error message that a class is required.
A class is nothing more than a permission that you provide to the user.
By default, Juniper has 4 different classes as the following:
[edit system login user Maher]
Maher@R1# set class ?
Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
Let’s speak about each one:
- Class operator: users belonging to this class are able to do commands related to clear, network, reset, trace and view.
- Class read-only: users belonging to this class can only view the configuration on the router
- Class super-user: users belonging to this class have full permission to do anything on the Juniper router
- Class unauthorized: users belonging to this class have no permissions on the Juniper router.
Again, those classes are provided by default on the Juniper router and you can use them if you want. However, there is a possibility that you create a custom class where you can define what users can do. For example, if you have a Junior engineer and you want to give him view, ping and traceroute access on the router, then you can create for him a special class and assign it to his account.
Let’s apply a LAB now to play with the classes.
I want to create a new user called Simon, and allow him to login during the weekdays from 8:00 to 17:00 and be able to do ping and change only the configuration on the system hierarchy level.
Let’s start creating the user and give him a password:
Maher@R1# set system login user Simon authentication plain-text-password
New password:
Retype new password:
[edit]
Maher@R1#
This has been created successfully.
Let’s create a custom class (will call it Simonclass) and assign the allowed-days to login:
Maher@R1# edit system login class Simonclass
[edit system login class Simonclass]
Maher@R1# set allowed-days [monday tuesday wednesday thursday friday]
[edit system login class Simonclass]
Maher@R1# show
allowed-days [ monday tuesday wednesday thursday friday ];
[edit system login class Simonclass]
Maher@R1#
This has been created successfully. Now we need to define the time that it is allowed to login:
[edit system login class Simonclass]
Maher@R1# set access-start 08:00 access-end 17:00
[edit system login class Simonclass]
Maher@R1# show
allowed-days [ monday tuesday wednesday thursday friday ];
access-start “08:00:00 +0100”;
access-end “17:00:00 +0100”;
[edit system login class Simonclass]
Maher@R1#
Now I need to allow him to do ping:
[edit system login class Simonclass]
Maher@R1# set allow-commands ping
[edit system login class Simonclass]
Maher@R1# show
allowed-days [ monday tuesday wednesday thursday friday ];
access-start “08:00:00 +0100”;
access-end “17:00:00 +0100”;
allow-commands ping;
[edit system login class Simonclass]
Maher@R1#
The last thing that I need to provide on this class is the possibility to make changes for anything related to the system hierarchy level. To do that, we should grant a permission for users on this class to go to the configure mode so they can go to the system hierarch level. So I need to do 2 things:
- Grant access to the configuration mode
- Grant access to the system hierarchy level
Let’s start by the 1st one:
[edit system login class Simonclass]
Maher@R1# set permissions configure
[edit system login class Simonclass]
Maher@R1# show
allowed-days [ monday tuesday wednesday thursday friday ];
access-start “08:00:00 +0100”;
access-end “17:00:00 +0100”;
permissions configure;
allow-commands ping;
[edit system login class Simonclass]
Maher@R1#
Let’s now give him a permission to reach to the system level:
[edit system login class Simonclass]
Maher@R1# set permissions system?
Possible completions:
system Can view system configuration
system-control Can modify system configuration
[edit system login class Simonclass]
Maher@R1# set permissions system-control
[edit system login class Simonclass]
Maher@R1# show
allowed-days [ monday tuesday wednesday thursday friday ];
access-start “08:00:00 +0100”;
access-end “17:00:00 +0100”;
permissions [ configure system-control ];
allow-commands ping;
[edit system login class Simonclass]
Maher@R1#
On the permissions, you can see there is “system” and there is “system-control”. If you choose “system” then the user belonging to this class will only view the “system” level, however we need that he can edit the system level that’s why I have chosen the “system-control”.
All is done now, my configuration has been finished and now I need to apply the class to the user Simon and commit the configuration. Let’s do it:
Maher@R1# edit system login user Simon
[edit system login user Simon]
Maher@R1# set class Simonclass
[edit system login user Simon]
Maher@R1# commit
commit complete
[edit system login user Simon]
Maher@R1#
This is all what I wanted to show you in this lesson, I hope you enjoyed it and see you in the upcoming one 😊
0 Comments