Junos OS

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  Unauthorized Login class

    Posted 05-30-2014 01:49

    I am trying to understand in what situation Unauthorized Login class is usefull.

     

    One book said "The unauthorized login class is typically used in conjunction with the syslog function in situations where administrator doesn't allow a user to do anything, but want to track user attempts"

     

    QUESTIONS:

    1. I believe if I have local user with unauthorized class, whenever he login, that will appear in syslog.

    What will happen if I login as non existing local user?

    Will it appear in syslog as well?

    Any difference between syslog report for non existing user and unauthorized local user?

     

    thanks


    #syslog


  • 2.  RE: Unauthorized Login class

     
    Posted 05-30-2014 02:06

    I don't see any difference.

     

    EX4200-2 is trying to login to EX4200-1, first with a user that is not configured(no-user) and then with a user from 'unauthorized' class(una-user). I put on purpose a wrong password when I tried to login with una-user.

     

     

    {master:0}[edit]
    root@EX4200-1# May 30 10:53:28  EX4200-1 last message repeated 2 times
    May 30 10:53:37  EX4200-1 sshd[61412]: %AUTH-6: Failed password for no-user from 172.30.145.204 port 54833 ssh2
    May 30 10:53:37  EX4200-1 sshd: %AUTH-5-SSHD_LOGIN_FAILED: Login failed for user 'no-user' from host '172.30.145.204'
    May 30 10:53:40  EX4200-1 sshd: %AUTH-5-SSHD_LOGIN_FAILED: Login failed for user 'no-user' from host '172.30.145.204'
    May 30 10:53:40  EX4200-1 sshd[61412]: %AUTH-6: Failed password for no-user from 172.30.145.204 port 54833 ssh2
    May 30 10:53:59  EX4200-1 sshd: %AUTH-5-SSHD_LOGIN_FAILED: Login failed for user 'no-user' from host '172.30.145.204'
    May 30 10:53:59  EX4200-1 sshd[61412]: %AUTH-6: Failed password for no-user from 172.30.145.204 port 54833 ssh2
    May 30 10:54:14  EX4200-1 sshd: %AUTH-5-SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (3) reached by user 'no-user'
    May 30 10:54:14  EX4200-1 sshd[61412]: %AUTH-6: Disconnecting: Too many password failures for no-user [preauth]
    May 30 10:54:14  EX4200-1 inetd[1285]: %DAEMON-4: /usr/sbin/sshd[61412]: exited, status 255


    {master:0}[edit]
    root@EX4200-1#

     

     

    {master:0}[edit]
    root@EX4200-1# May 30 10:56:10  EX4200-1 sshd: %AUTH-5-SSHD_LOGIN_FAILED: Login failed for user 'una-user' from host '172.30.145.204'
    May 30 10:56:10  EX4200-1 sshd[61809]: %AUTH-6: Failed password for una-user from 172.30.145.204 port 57583 ssh2
    May 30 10:56:22  EX4200-1 sshd[61809]: %AUTH-6: Accepted password for una-user from 172.30.145.204 port 57583 ssh2


    {master:0}[edit]
    root@EX4200-1#

     

    After you login with an unauthorized class user, this is what you get:

     

    {master:0}[edit]
    root@EX4200-2# run ssh una-user@172.30.145.153   
    una-user@172.30.145.153's password:
    --- JUNOS 12.3R5.7 built 2013-12-18 01:32:43 UTC
    warning: user "una-user" does not have a valid login class

    error: Unable to authenticate: bad auth parameter.
    Login as root and 'commit' the configuration.
    {master:0}
    una-user@EX4200-1> exit

    Connection to 172.30.145.153 closed.

    {master:0}[edit]
    root@EX4200-2#

     

     

     

    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 3.  RE: Unauthorized Login class
    Best Answer

    Posted 05-31-2014 04:14

    Very good question. There are two differences though. A non-existent attempting to log im would show login attemp failed. An existing user with incorrect password will show login attemp failed and there is no difference with the logs that twould indicate which is which. However, the user in the unauthorised class is still allowed to log in. He just cannot do anything in the console. Then you as the Admin would know exactly which unauthorised users are logging in. It is useful if a previous user was moved to a different department, or no longer allowed to make configuration changes, and you want to trak that users disregard for policies, then you will have the logs to take to HR. You do not change the password for the user, you just change the login class.



  • 4.  RE: Unauthorized Login class

    Posted 06-10-2014 17:04

    I actually use the unauthorized class in conjunction with radius authentication so that when users log into a switch they should not be configuring that I dont get an error message for invalid credentials.

     

    Help desk has limited access to some switches (show commands etc, but unauthorized to everything else)



  • 5.  RE: Unauthorized Login class

    Posted 06-10-2014 18:02

    @agarrison wrote:

    I actually use the unauthorized class in conjunction with radius authentication so that when users log into a switch they should not be configuring that I dont get an error message for invalid credentials.

     

    Help desk has limited access to some switches (show commands etc, but unauthorized to everything else)


    agarrison,

    I understand that unauthorized class can't do anything, but your reply said they can still do show commands.

    QUESTIONS:

    Base on your experience

    1. what commands user can still run in unauthorized class

    2. I understand that I can create user in Radius and Local.

    Authentication order will choose who win.

    Now where you create Unauthorized user, in Local or Radius or both.

    I am not very sure how to specify Unauthorized  user in Radius

    Please explain

     

    thanks