[j-nsp] Juniper authorization with tacacs+

Sukhjit Hayre sukhjit.hayre at googlemail.com
Mon Apr 13 18:58:34 EDT 2015



yeah I've used this too and depending on the local profile it shows what I expect it too, but what it doesn't show is minus the ACS attributes if at all I would see that here...

I think a deeper packet inspection can identify what the messages are saying, will try to do that at some point



> On 13 Apr 2015, at 23:42, Chris Kawchuk <juniperdude at gmail.com> wrote:
> 
> Show cli authorization. Should show you the current login credentials and such. 
> 
>> On 14 Apr 2015, at 8:23 am, Sukhjit Hayre <sukhjit.hayre at googlemail.com> wrote:
>> 
>> hi Chris
>> 
>> thanks for the reply, actually I did not see any user file in /var/tmp
>> whilst logged-in im running vSRX firefly 12.1X47-D10.4
>> 
>> On Mon, Apr 13, 2015 at 4:07 PM, Chris Morrow <morrowc at ops-netman.net>
>> wrote:
>> 
>>> 
>>> 
>>>> On 04/13/2015 11:01 AM, Eduardo Barrios wrote:
>>>> When I tested this a while back I could not get the "allow-commands"
>>>> attribute to work. The deny-commands attribute does work however. So
>>>> our ACS shell-profile read only group we had to start with a junos
>>>> login with a super-user class then use the "deny-commands" attribute
>>>> to strip the access ...request, restart, configure, etc.
>>> 
>>> it might help you to look in /var/tmp on the juniper when the affected
>>> user is logged in.. there will be a file named per the user's login PID
>>> which has their access requirements outlined. You can probably reverse
>>> engineer the right answer from that data.
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list