Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

EX2200 Switch - jloader release to support "Unattended Mode for U-Boot" feature

0

0

Article ID: TSB16425 TECHNICAL_BULLETINS Last Updated: 23 Oct 2017Version: 9.0
Alert Type:
PSN - Product Support Notification
Product Affected:
EX2200
Alert Description:

This Technical Support Bulletin (TSB) introduces a new jloader release for the EX2200, to support the new "Unattended Mode for U-Boot" feature. 

This jloader release introduces a new feature, "Unattended Mode for U-Boot", which is available starting with Junos release 13.2X51-D20.2, and subsequent releases. 

 

New Feature:     Unattended Mode for U-Boot

Image Name:       jloader-ex-2200-13.2X51-D20.2-signed.tgz      (Image Link is provided below)

Junos Release:  13.2X51-D20.2 and later Junos releases

Platforms:            EX2200


NOTE:  Please review the 13.2X51-D20 release notes, and Junos documentation, for a complete description of the feature, and configuration details.


WARNING:

On EX2200 switches, if both the root and unattended mode password are lost while the switch is in unattended mode, there is no alternative recovery method available.
The switch would have to be returned to Juniper Networks.


 
Solution:


Understanding Unattended Mode for U-Boot on EX Series Switches


 

Unattended mode for U-Boot can be configured to prevent unauthorized access to the
switch that can occur during the boot process.  After the CPU has been reset, there are
several known methods of accessing the system before the JUNOS login prompt
appears that do not require the user to enter authorization credentials. By gaining
unauthorized access, the user can view, modify, or corrupt the switch configuration, or
make the switch unavailable on the network.

When unattended mode is configured, the user can only access the CLI during the
boot process by pressing <CTRL+C> and entering the correct password, which is known
as the boot-loader password. The boot-loader password must have been previously
configured on the switch. Entering the correct boot-loader password will place the user
in the U-Boot CLI. If the password is incorrect, or if no password is entered within one
minute, access to the U-Boot CLI is blocked and the boot process continues automatically.

Access to the bootstrap loader command prompt (loader>) is blocked in unattended mode,
which prevents the use of the following recovery mechanisms: root password recovery
using single-user mode, and booting the switch using a software package stored on a
USB flash drive.

If unattended mode is not configured, but a boot-loader password has been configured,
the user must enter the correct password to access the U-Boot CLI. If a boot-loader
password has not been configured, the user can access the U-Boot CLI without entering
a password. In either case, the user can access the bootstrap loader command prompt,
which allows root password recovery using single-user mode as well as booting from
a USB flash drive.

Unattended mode is not enabled by default. When configured, unattended mode is
turned on and will block unauthorized access to the switch.



Unattended Mode Behavior

---------------------------------------------------------------------------------------------------------------------------------------------------
Unattended Mode        Boot-loader           Behavior
                                     password   

ON                                 Set                         • Access to U-Boot CLI is allowed only after entering
                                                                        correct password.
                                                                     • Access to loader command prompt is blocked.
                                                                     • Booting from USB is blocked except from U-Boot
                                                                        CLI using bootfrom usb command.
                                                                     • Root password recovery using single-user mode
                                                                        is blocked.
----------------------------------------------------------------------------------------------------------------------------------------------------

ON                                 Not Set                  • Access to U-Boot CLI is blocked.
                                                                     • Access to loader command prompt is blocked.
                                                                     • Booting from USB is blocked.
                                                                     • Root password recovery using single-user mode is
                                                                        blocked.
----------------------------------------------------------------------------------------------------------------------------------------------------

OFF                               Set                         • Access to U-Boot CLI is allowed only after entering
                                                                        correct password.
                                                                     • Access to loader command prompt is allowed.
                                                                     • Booting from USB is allowed.
                                                                     • Root password recovery using single-user mode is
                                                                        allowed.
----------------------------------------------------------------------------------------------------------------------------------------------------

OFF                                Not Set                 • Access to U-Boot CLI is allowed.
                                                                     • Access to loader command prompt is allowed.
                                                                     • Booting from USB is allowed.
                                                                     • Root password recovery using single-user mode is
                                                                        allowed.
----------------------------------------------------------------------------------------------------------------------------------------------------
  
Related Documentation (See Links Below):

    • Understanding Unattended Mode for U-Boot on EX Series Switches
    • unattended-boot
    • boot-loader-authentication
    • Using Unattended Mode for U-Boot to Prevent Unauthorized Access

 

NOTE:  Please see release notes and Junos documentation for configuration details and a complete description of the feature



 

 
Implementation:


Please review the Junos 13.2X51-D20 release notes, and Junos documentation, for a complete description of the feature, and configuration details.




 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search