Specifications

ManualsBrandsSentry ManualsMusical equipmentSPD 5.5.5

111

112

113

114

115

116

117

118

119

120

Page 114 /148

With local password authentication, you configure a password for each user

allowed to log into the router.

RADIUS and TACACS+ are authentication methods for validating users who

attempt to access the router using Telnet. They are both distributed client-server

systems --the RADIUS and TACACS+ clients run on the router and the server

runs on a remote network system. For TACACS+, the JUNOS software supports

authentication, but does not support authorization.

You can configure the router to be both a RADIUS and TACACS+ client, and you

can also configure authentication passwords in the JUNOS configuration file.

You can prioritize the methods to configure the order in which the software tries

the different authentication methods when verifying user access.

3.5.6 Audit trails of login attempts and command history

Tracing and logging operations allow you to track events that occur in the router--

both normal router operations and error conditions--and to track the packets that

are generated by or pass through the router. The results of tracing and logging

operations are placed in files in the /var/log directory on the router. Logging

operations use a UNIX syslog mechanism to record system wide, high-level

operations, such as interfaces' going up or down and users' logging into or out of

the router.

Eg: show log <user <user-name>> <filename>

The above command lists the log files, display log file contents, and display

information about users who have logged into the router.

user@host> show log user

darius mg2546 Thu Oct 1 19:37 still logged in

darius mg2529 Thu Oct 1 19:08 - 19:36 (00:28)

darius mg2518 Thu Oct 1 18:53 - 18:58 (00:04)

root mg1575 Wed Sep 30 18:39 - 18:41 (00:02)

root ttyp2 jun.berry.per Wed Sep 30 18:39 - 18:41 (00:02)

alex ttyp1 192.156.1.2 Wed Sep 30 01:03 - 01:22

(00:19)

Also using Syslog, it is possible to log security and configuration changes by

users. For each place where you can log system logging information, you specify

the class (facility) of messages to log and the minimum severity level (level) of the

message. A common set of operations to log is when users login to the router

and when they issue CLI commands. To configure this type of logging, specify

the interactive-commands facility and one of the following severity levels:

§ info--Log all top-level CLI commands, including the configure command, and

all configuration mode commands.

§ notice--Log the configuration mode commands rollback and commit.

§ warning--Log when any software process restarts.

Another common operation to log is when users enter authentication information.

To configure this type of logging, specify the authorization facility.

Another facility in Syslog called change-log can be used to log just the

configuration changes.

The change-log provides a single level of detail, as follows:

info: user name, path of configuration object that changed,

old value and new value in a one-line format.

Below is a sample output from the change-log feature:

[edit]

root@lab2# delete protocols bgp group "test group" no-

aggregator-id

[edit]

root@lab2# set protocols bgp group "test group" peer-as 1234

[edit]

root@lab2# set protocols bgp group "test group" hold-time 37

The change log output is: