[j-nsp] Tacacs command authorization not working as intended

Mon Jul 4 08:42:46 EDT 2022

Hi

i've been trying to authorize 'clear pppoe session pp0.*' for some of
our users. They already have some allowed commands such as 'monitor
traffic' and 'clear network-access aaa subscriber username' that
works, but 'clear pppoe' is refused.

foo at bar> clear ppp?
No valid completions

foo at bar> clear pppoe
               ^
syntax error, expecting <command>.

Here are their rights on the box. They don't have 'clear' permissions
as I'd rather allow one command than refuse all the others.

foo at bar> show cli authorization
Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
Permissions:
    configure   -- Can enter configuration mode
    interface   -- Can view interface configuration
    network     -- Can access the network
    routing     -- Can view routing configuration
    trace       -- Can view trace file settings
    trace-control-- Can modify trace file settings
    view        -- Can view current values and statistics
    view-configuration-- Can view all configuration (not including secrets)
Individual command authorization:
    Allow regular expression: (clear pppoe sessions pp0.*|clear
network-access aaa subscriber username.*|monitor traffic.*)
    Deny regular expression: (request .*|file .*|save .*|clear log .*)
    Allow configuration regular expression: (protocols pppoe
traceoptions|system processes smg-service traceoptions|system
processes general-authentication-service traceoptions|protocols
ppp-service traceoptions|services l2tp traceoptions)
    Deny configuration regular expression: none

And the tacacs configuration:

  match = @RouterBNG {
    # ReadOnlyDebug
    service = junos-exec {
    local-user-name = GEN-USR-N
    user-permissions = "configure interface network routing trace
trace-control view view-configuration"
    deny-commands = "request .*|file .*|save .*|clear log .*"
    allow-commands = "clear pppoe sessions pp0.*|clear network-access
aaa subscriber username.*|monitor traffic.*"
    allow-configuration = "(protocols pppoe traceoptions|system
processes smg-service traceoptions|system processes
general-authentication-service traceoptions|protocols ppp-service
traceoptions|services l2tp traceoptions)"
    }
  }

options I've tried:
allow-commands = "(monitor traffic.*)|(clear pppoe sessions
pp0\..*)|(clear network-access aaa subscriber username.*)"
allow-commands = "monitor traffic.*|clear pppoe sessions pp0.*|clear
network-access aaa subscriber username.*"
allow-commands = "monitor traffic|clear pppoe sessions pp0\..*|clear
network-access aaa subscriber username"
allow-commands = "clear pppoe sessions pp0.*|clear network-access aaa
subscriber username.*|monitor traffic.*"

Is there a way without providing 'clear' permission? 'clear
network-access' works even without it...

thanks,
pierre