[j-nsp] Juniper authorization with tacacs+

Sukhjit Hayre sukhjit.hayre at googlemail.com
Mon Apr 13 18:22:16 EDT 2015


hey Eduardo

thanks for you reply, I tried configuring super-user locally and
deny-commands and even deny-configuration with the regex "deny" for the AV
on ACS in the previous described location and it's a no go, im running vSRX
firefly 12.1X47-D10.4

can you help on the exact AV ?

thanks in advance

On Mon, Apr 13, 2015 at 4:01 PM, Eduardo Barrios <Eduardo.Barrios at lcra.org>
wrote:

> When I tested this a while back I could not get the "allow-commands"
> attribute to work. The deny-commands attribute does work however. So our
> ACS shell-profile read only group we had to start with a junos login with a
> super-user class then use the "deny-commands" attribute to strip the access
> ...request, restart, configure, etc.
>
> Thanks,
> Eduardo
>
> Eduardo Barrios, EIT, JNCIP-SP
> Telecommunications Specialist
> Lower Colorado River Authority  | 3505 Montopolis Dr. |  Austin, TX 78744
>
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf
> Of Sukhjit Hayre
> Sent: Sunday, April 12, 2015 7:10 PM
> To: juniper-nsp at puck.nether.net
> Subject: [External] [j-nsp] Juniper authorization with tacacs+
>
> hi all,
>
> having been through multiple threads i.e
>
> http://www.gossamer-threads.com/lists/nsp/juniper/9764#9764
>
> I cannot find a way for Cisco ACS and SRX cluster to allow an account to
> have certain privileges
>
> Cisco advise they support the following Juniper attributes for TACACS+:
>
> allow-commands
>
> Optional
>
> "(request system) | (show rip neighbor)"
>
> allow-configuration
>
> Optional
>
> local-user-name
>
> Optional
>
> sales
>
> deny-commands
>
> Optional
>
> "<^clear"
>
> deny-configuration
>
> Optional
>
> http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html
>
>
> Now I can get the local-user-name attribute assigned and agreed between ACS
> 5.6 and Junos as I can log-in ok
>
> But I'm trying to restrict an account to only certain commands and would
> rather do this on ACS 5.6 vs the local device login profile
>
> here is the config on the device:
>
> login {
>     user junosadmin {
>         uid 100;
>         class super-user;
>     }
>     user junosro {
>         uid 101;
>         class unauthorized;
>
> so I want junosro to be permitted to be able to run "show" commands
>
> I've tried creating a custom class locally with increased rights but need
> to be able to control this on ACS
>
> I've tried on ACS adding these into policy elements>authorizations &
> permissions>device administration>shell profiles>account>custom attributes
> but only the "local-user-name" attribute seems to work for authentication
> purposes
>
> Cisco advise "The values of the allow-commands, allow-configuration,
> deny-commands, and deny-configuration attributes can be entered in regex
> format. The values that these attributes are set to are in addition to the
> operational/configuration mode commands authorized by the user's login
> class permissions bits."
>
> without getting into a debate whether this is an ACS or Juniper problem,
> has anyone encountered the same?
>
> thanks in advance
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list