[j-nsp] ERX - Local Commands Authorization

Thomas Salmen tsalmen at orcon.net.nz
Thu Dec 29 04:10:53 EST 2005


A standard user account with privilege level 1 only has access to show
commands - at least, I can't think of any configuration changes that can be
made at priv-lvl 1. If the user doesn't know the enable password then I
would imagine that this would be sufficient for your needs.

I don't know what the ACS config is like to specify a privilege level, but
the tacplus config is something like:

user = level1user {
        login = des <password>
        service = exec {
                priv-lvl = 1
/* for junos logins */
        service = junos-exec { 
                local-user-name = execuser

At least I think this works. I actually haven't tried it with an ERX before.

Of course, you can change the privilege level certain commands can be
executed at by doing:

lab_erx02>enable 15
Password: ********
nct_erx02#show conf | inc priv
! Commands displayed are limited to those available at privilege level 15
privilege exec level 1 show subscribers username
privilege exec level 1 show subscribers
lab_erx02#conf t
Enter configuration commands, one per line.  End with ^Z.
lab_erx02(config)#privilege exec level 1 logout subscribers

This will allow the command "logout subscribers" to be executed by someone
with priv-lvl 1. I assume, although I've never tried, you can increase the
level required to run certain commands as well. You need to move to priv-15
(standard enable is priv-10, you need to specify 15, as above) to change
privileges for commands. Some commands (like "configure", for example) can't
be changed. 

Hope this is of some use?


> Hello,
> I have two types of users logging into my ERX, those who configure and
> those
> who just need nothing by show commands, i failed to configure my current
> Cisco Secure ACS server to do it, so i want to do it locally, can anyone
> guide me if its similar to how its done in Ciscos ?
> Regards
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list