[j-nsp] Juniper authorization with tacacs+

Eduardo Barrios Eduardo.Barrios at LCRA.ORG
Mon Apr 13 11:01:31 EDT 2015 

When I tested this a while back I could not get the "allow-commands" attribute to work. The deny-commands attribute does work however. So our ACS shell-profile read only group we had to start with a junos login with a super-user class then use the "deny-commands" attribute to strip the access ...request, restart, configure, etc. 

Thanks,
Eduardo

Eduardo Barrios, EIT, JNCIP-SP
Telecommunications Specialist
Lower Colorado River Authority  | 3505 Montopolis Dr. |  Austin, TX 78744


-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Sukhjit Hayre
Sent: Sunday, April 12, 2015 7:10 PM
To: juniper-nsp at puck.nether.net
Subject: [External] [j-nsp] Juniper authorization with tacacs+

hi all,

having been through multiple threads i.e

http://www.gossamer-threads.com/lists/nsp/juniper/9764#9764

I cannot find a way for Cisco ACS and SRX cluster to allow an account to
have certain privileges

Cisco advise they support the following Juniper attributes for TACACS+:

allow-commands

Optional

"(request system) | (show rip neighbor)"

allow-configuration

Optional

local-user-name

Optional

sales

deny-commands

Optional

"<^clear"

deny-configuration

Optional
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html


Now I can get the local-user-name attribute assigned and agreed between ACS
5.6 and Junos as I can log-in ok

But I'm trying to restrict an account to only certain commands and would
rather do this on ACS 5.6 vs the local device login profile

here is the config on the device:

login {
    user junosadmin {
        uid 100;
        class super-user;
    }
    user junosro {
        uid 101;
        class unauthorized;

so I want junosro to be permitted to be able to run "show" commands

I've tried creating a custom class locally with increased rights but need
to be able to control this on ACS

I've tried on ACS adding these into policy elements>authorizations &
permissions>device administration>shell profiles>account>custom attributes
but only the "local-user-name" attribute seems to work for authentication
purposes

Cisco advise "The values of the allow-commands, allow-configuration,
deny-commands, and deny-configuration attributes can be entered in regex
format. The values that these attributes are set to are in addition to the
operational/configuration mode commands authorized by the user's login
class permissions bits."

without getting into a debate whether this is an ACS or Juniper problem,
has anyone encountered the same?

thanks in advance
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list