[j-nsp] Using TACACS to prevent deactivate/activate statements?

Erdem Sener erdems at gmail.com
Mon Nov 10 13:20:39 EST 2008


Hello,

 As far as I know, the activate/deactivate knobs are tied to user's
permissions; meaning that if an user can edit a level of the
configuration
he/she can also always use activate/deactivate; since they're not
really 'commands' from that perspective. (again, I may be wrong)

 Another option for you would be to use 'deny-configuration' statement
for this particular class, to prevent reaching that part of
configuration. This will
however also result the members of this class not see those sections
of the configuration (e.g. interfaces xe-0/0/0) when they do a show
command
in edit mode.

For example:

[edit system login class Class1]
user at router# show
permissions all;
deny-configuration "^interfaces xe-0/0/3|^interfaces xe-0/0/2";

The members of class 'Class1' will have the rights to alter the whole
configuration except interfaces xe-0/0/3 and xe-0/0/2. They also won't
be able to see
the configuration for those interfaces when they do a show command.

I understand this is not exactly what you're after and I'm confident
someone would correct me if there's anything I'm missing.

Cheers,
Erdem


On Mon, Nov 10, 2008 at 5:04 PM, German Martinez
<gmartine at ajax.opentransit.net> wrote:
> On Tue Apr 22, 2008, Brian Pavane wrote:
>
> Hello Brian,
> Did you have any luck with this task? Anything that you are willing
> to share is really welcome
>
> Thanks
> German
>
>> I am currently working on a security profile, that requires me to
>> prohibit certain deactivate/activate commands to be issued by a certain
>> class of users.  I am looking to add this to my current TACACS
>> configuration (tac_plus), however I have been unable as of yet to get
>> the router to properly authorize these commands.
>>
>>  From what I can tell, these need to be placed in the "deny-commands"
>> section rather than the "deny-configuration" section of TACACS... but I
>> may be wrong (I've tried both).
>>
>> Has anyone done this in the past?  If so, could you share this portion
>> of your tacacs.conf?
>>
>> Thank you.
>>
>> -Brian
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list