[j-nsp] command authorization and tacacs
Pierfrancesco Caci
pf at caci.it
Tue Dec 11 09:33:54 EST 2018
Hello,
I'm trying to set up command authorization via tacacs on MX and PTX
series. Tacacs is provided by Cisco ACS.
I fully understand that Juniper doesn't authorize the commands one by
one, and instead it relies on classes, permissions, and strings/regexps
of allowed or denied commands, and this blob of permissions gets passed
at authentication time.
So far, I've set up 2 users on the router side, one with slightly more
than bare read-only, and the other with a customized "operator" class.
I can pass additional permissions via tacacs with the "user-permissions"
parameter, and I can deny commands with "deny-commands". This gives me
most of what I'd need, I don't really want to set up a dozen different
local users matching our user groups, as this seems to counter the
purpose of having a central tacacs.
But I have hit some snags:
I have not found a way to prevent a user from accidentally delete entire
bgp config, but still allowing him to operate on single neighbors. Or
other similar situation involving top level configuration vs details
inside each block.
I have not really figured out how to use "deny-commands-regexp". I have
tried with various combinations of spaces, quotes, etc. Either it
doesn't take it, or I end up with a long string of commands with no
separation. This prevents me to deny commands with only certain
parameters, which is something I'd need to do.
I don't seem to be able to use the "allow-" version of the parameters:
if I don't give the permission I will not be allowed the individual
command, and if I give the permission I get allowed all the commands
belonging to that permission.
I'd appreciate if someone who has gone through this could share some
tips.
Thanks
Pf
--
Pierfrancesco Caci
More information about the juniper-nsp
mailing list