[j-nsp] Tacacs command authorization not working as intended

Saku Ytti saku at ytti.fi
Mon Jul 4 10:18:33 EDT 2022


I don't believe Junos has tacacs command authorization.

You can add do allow/deny commands regexp in the user class to achieve the
same without introducing the RTT lag.

On Mon, 4 Jul 2022 at 15:52, Pierre Emeriaud via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

> Hi
>
> i've been trying to authorize 'clear pppoe session pp0.*' for some of
> our users. They already have some allowed commands such as 'monitor
> traffic' and 'clear network-access aaa subscriber username' that
> works, but 'clear pppoe' is refused.
>
> foo at bar> clear ppp?
> No valid completions
>
> foo at bar> clear pppoe
>                ^
> syntax error, expecting <command>.
>
>
> Here are their rights on the box. They don't have 'clear' permissions
> as I'd rather allow one command than refuse all the others.
>
> foo at bar> show cli authorization
> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
> Permissions:
>     configure   -- Can enter configuration mode
>     interface   -- Can view interface configuration
>     network     -- Can access the network
>     routing     -- Can view routing configuration
>     trace       -- Can view trace file settings
>     trace-control-- Can modify trace file settings
>     view        -- Can view current values and statistics
>     view-configuration-- Can view all configuration (not including secrets)
> Individual command authorization:
>     Allow regular expression: (clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*|monitor traffic.*)
>     Deny regular expression: (request .*|file .*|save .*|clear log .*)
>     Allow configuration regular expression: (protocols pppoe
> traceoptions|system processes smg-service traceoptions|system
> processes general-authentication-service traceoptions|protocols
> ppp-service traceoptions|services l2tp traceoptions)
>     Deny configuration regular expression: none
>
> And the tacacs configuration:
>
>   match = @RouterBNG {
>     # ReadOnlyDebug
>     service = junos-exec {
>     local-user-name = GEN-USR-N
>     user-permissions = "configure interface network routing trace
> trace-control view view-configuration"
>     deny-commands = "request .*|file .*|save .*|clear log .*"
>     allow-commands = "clear pppoe sessions pp0.*|clear network-access
> aaa subscriber username.*|monitor traffic.*"
>     allow-configuration = "(protocols pppoe traceoptions|system
> processes smg-service traceoptions|system processes
> general-authentication-service traceoptions|protocols ppp-service
> traceoptions|services l2tp traceoptions)"
>     }
>   }
>
> options I've tried:
> allow-commands = "(monitor traffic.*)|(clear pppoe sessions
> pp0\..*)|(clear network-access aaa subscriber username.*)"
> allow-commands = "monitor traffic.*|clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*"
> allow-commands = "monitor traffic|clear pppoe sessions pp0\..*|clear
> network-access aaa subscriber username"
> allow-commands = "clear pppoe sessions pp0.*|clear network-access aaa
> subscriber username.*|monitor traffic.*"
>
>
> Is there a way without providing 'clear' permission? 'clear
> network-access' works even without it...
>
> thanks,
> pierre
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 
  ++ytti


More information about the juniper-nsp mailing list