[j-nsp] Juniper authorization with tacacs+

Chris Morrow morrowc at ops-netman.net
Mon Apr 13 11:07:04 EDT 2015

On 04/13/2015 11:01 AM, Eduardo Barrios wrote:
> When I tested this a while back I could not get the "allow-commands"
> attribute to work. The deny-commands attribute does work however. So
> our ACS shell-profile read only group we had to start with a junos
> login with a super-user class then use the "deny-commands" attribute
> to strip the access ...request, restart, configure, etc.

it might help you to look in /var/tmp on the juniper when the affected
user is logged in.. there will be a file named per the user's login PID
which has their access requirements outlined. You can probably reverse
engineer the right answer from that data.

More information about the juniper-nsp mailing list