[j-nsp] Juniper authorization with tacacs+
Sukhjit Hayre
sukhjit.hayre at googlemail.com
Sun Apr 12 20:09:39 EDT 2015
hi all,
having been through multiple threads i.e
http://www.gossamer-threads.com/lists/nsp/juniper/9764#9764
I cannot find a way for Cisco ACS and SRX cluster to allow an account to
have certain privileges
Cisco advise they support the following Juniper attributes for TACACS+:
allow-commands
Optional
"(request system) | (show rip neighbor)"
allow-configuration
Optional
local-user-name
Optional
sales
deny-commands
Optional
"<^clear"
deny-configuration
Optional
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html
Now I can get the local-user-name attribute assigned and agreed between ACS
5.6 and Junos as I can log-in ok
But I'm trying to restrict an account to only certain commands and would
rather do this on ACS 5.6 vs the local device login profile
here is the config on the device:
login {
user junosadmin {
uid 100;
class super-user;
}
user junosro {
uid 101;
class unauthorized;
so I want junosro to be permitted to be able to run "show" commands
I've tried creating a custom class locally with increased rights but need
to be able to control this on ACS
I've tried on ACS adding these into policy elements>authorizations &
permissions>device administration>shell profiles>account>custom attributes
but only the "local-user-name" attribute seems to work for authentication
purposes
Cisco advise "The values of the allow-commands, allow-configuration,
deny-commands, and deny-configuration attributes can be entered in regex
format. The values that these attributes are set to are in addition to the
operational/configuration mode commands authorized by the user's login
class permissions bits."
without getting into a debate whether this is an ACS or Juniper problem,
has anyone encountered the same?
thanks in advance
More information about the juniper-nsp
mailing list