[j-nsp] Using allow-commandsN in TACACS

Jason Lixfeld jason-jnsp at lixfeld.ca
Fri Apr 26 16:05:53 EDT 2019


Hey there,

Overall, I’m trying to allow specific commands to be run by a user through allow-commandsN attributes in tacplus, but I’m having a hard time getting the CLI to execute the commands, even though it seems to think that the user is authorized to do so.

What I’m after is to allow the user to execute this only:

"show route protocol bgp table <vrf>.inet.0 .*"
"show route protocol bgp table <vrf>.inet6.0 .*"
"ping routing-instance <vrf> .*"
"traceroute routing-instance <vrf> .*”

But that doesn’t work.  Fine.

I’ve distilled the command set down to a single one to try to keep things simple:

#tacplus.conf
user = lg {
 # XR
 service = exec {
  optional task = "#root-system,rwx:basic-services,r:bgp"
  }
 cmd = "ping" {
  permit .*
 }
 cmd = "show" {
  permit "bgp .*"
 }
 cmd = "traceroute" {
  permit .*
 }
 # JunOS
 service = junos-exec {
  local-user-name = SU
  allow-commands1 = "show route protocol bgp .*"
  allow-commands99 = "exit"
  allow-commands98 = "show cli .*"
  deny-commands = ".*"
 }
}

CLI authorization seems to be in line with the tacplus

lg at lab> show cli authorization
Current user: 'SU' login: 'lg' class 'super-user'
Permissions:
    access      -- Can view access configuration
    access-control-- Can modify access configuration
    admin       -- Can view user accounts
    admin-control-- Can modify user accounts
    clear       -- Can clear learned network info
    configure   -- Can enter configuration mode
    control     -- Can modify any config
    edit        -- Can edit full files
    field       -- Can use field debug commands
    firewall    -- Can view firewall configuration
    firewall-control-- Can modify firewall configuration
    floppy      -- Can read and write the floppy
    interface   -- Can view interface configuration
    interface-control-- Can modify interface configuration
    maintenance -- Can become the super-user
    network     -- Can access the network
    reset       -- Can reset/restart interfaces and daemons
    rollback    -- Can rollback to previous configurations
    routing     -- Can view routing configuration
    routing-control-- Can modify routing configuration
    secret      -- Can view secret statements
    secret-control-- Can modify secret statements
    security    -- Can view security configuration
    security-control-- Can modify security configuration
    shell       -- Can start a local shell
    snmp        -- Can view SNMP configuration
    snmp-control-- Can modify SNMP configuration
    storage     -- Can view fibre channel storage protocol configuration
    storage-control-- Can modify fibre channel storage protocol configuration
    system      -- Can view system configuration
    system-control-- Can modify system configuration
    trace       -- Can view trace file settings
    trace-control-- Can modify trace file settings
    view        -- Can view current values and statistics
    view-configuration-- Can view all configuration (not including secrets)
    all-control -- Can modify any configuration
    flow-tap    -- Can view flow-tap configuration
    flow-tap-control-- Can modify flow-tap configuration
    flow-tap-operation-- Can tap flows
    idp-profiler-operation-- Can Profiler data
    pgcp-session-mirroring-- Can view pgcp session mirroring configuration
    pgcp-session-mirroring-control-- Can modify pgcp session mirroring configuration
    unified-edge-- Can view unified edge configuration
    unified-edge-control-- Can modify unified edge configuration
Individual command authorization:
    Allow regular expression: (show route protocol bgp .*|exit|show cli .*)
    Deny regular expression: (.*)
    Allow configuration regular expression: none
    Deny configuration regular expression: none

lg at lab>

show route doesn’t complete, despite the regex being allowed:

lg at lab> show route
             ^
syntax error, expecting <command>.

lg at lab> 

It seems to be fine with "show cli .*" and “exit” though:

lg at lab> show ?
Possible completions:
  cli                  Show command-line interface settings
lg at lab> exit

Connection to 192.168.57.22 closed.
BlackBox:~ jlixfeld$

So then I try to adjust allow-commands1 on TACACS:

allow-commands1 = "show route protocol .*”

lg at lab> show cli authorization
…
Individual command authorization:
    Allow regular expression: (show route protocol .*|exit|show cli .*)
    Deny regular expression: (.*)
    Allow configuration regular expression: none
    Deny configuration regular expression: none

lg at lab> show ?
Possible completions:
  cli                  Show command-line interface settings
  route                Show routing table information
lg at lab> show route?
Possible completions:
  route                Show routing table information
lg at lab> show route ?
Possible completions:
  protocol             Name of protocol that is source for entries
lg at lab> show route protocol ?
Possible completions:
  access               Access route
  access-internal      Access-internal route
  aggregate            Locally generated aggregate route
  anchor               Anchor route
  arp                  Prefixes learned via ARP
  bgp                  Border Gateway Protocol
  bgp-ls-epe           BGP egress peering using BGP-LS
  bgp-static           BGP static route
  ccc                  Circuit cross-connect
  direct               Directly connected routes
  esis                 End System-to-Intermediate System
  evpn                 EVPN
  flow                 Locally defined flow route
  frr                  Prefixes created by Host (Direct route) Fast reroute
  isis                 Intermediate System-to-Intermediate System
  l2circuit            Layer 2 circuit
  l2vpn                Layer 2 virtual private network
  ldp                  Label Distribution Protocol
  local                Local system addresses
  mpls                 Multiprotocol Label Switching
  msdp                 Multicast Source Discovery Protocol
  multipath            Locally generated Multipath route
  mvpn                 BGP-MVPN Protocol
  ospf                 Open Shortest Path First
  ospf2                Open Shortest Path First Version 2
  ospf3                Open Shortest Path First Version 3
  pim                  Protocol Independent Multicast
  rift                 Routing in Fat Trees Protocol
  rip                  Routing Information Protocol
  ripng                Routing Information Protocol for IPv6
  rsvp                 Resource Reservation Protocol
  rtarget              Local route target VPN membership
  spring-te            SPRING Traffic-Engineered
  static               Statically defined prefixes
  tunnel               Dynamic tunnel
  vpls                 Virtual Private LAN Service
  vpn                  Layer 3 virtual private network
lg at lab> show route protocol bgp ?
Possible completions:
  <[Enter]>            Execute this command
lg at lab> show route protocol bgp
error: permission denied for route: bgp
error: permission denied

lg at lab>

This is on an MX, 18.4R1.8.

What am I missing here?


More information about the juniper-nsp mailing list