6.4.1 Ensure Authentication is configured for Diagnostic Ports


An encrypted password should be set for access to the routers diagnostic ports.


Most high end Juniper network devices contain Diagnostic Ports on one or more of the control boards installed in the system, such as FEB (Forwarding Engine Board) in M5 or M10 routers or SSB (System Switching Board) in M20 routers. These ports allow access to a range of diagnostic functions and could provide an attacker with physical access to the system a route to bypass other controls in order to compromise the router.

Because of this risk, it is possible to set a password for all Diagnostic Ports installed in the system. As with other similar items, the password is stored by JUNOS as a hash (in this case MD5) in the configuration file. Please note, only local authentication is supported for the Diagnostic Ports, which are intended for limited use only, often when the device is experience a serious outage where external AAA services may be unavailable.

Should a system not contain any diagnostic ports, this item of configuration is ignored by the device.


Configure a password for the diagnostic ports using one of the following commands under the [edit system] hierarchy; To enter a new password in plain text:

[edit system]
user@host#set diag-port-authentication plain-text-password

You will be prompted to enter the new password, which JUNOS will then hash with MD5 before placing the command in the candidate configuration. To enter an existing password hash which you have taken from an existing configuration file, type the following :

[edit system]
user@host#set diag-port-authentication encrypted-password '<MD5 Hash>'

Default Value:

By default no password is configured for diagnostic ports

See Also


Item Details


References: 800-53|IA-5, CSCv7|4.2

Plugin: Juniper

Control ID: 4efa5814d066e8f58e02791aa5f5f61ff12efe905af48c7810bfc45c34482517