[j-nsp] Tacacs command authorization not working as intended
Pierre Emeriaud
petrus.lt at gmail.com
Mon Jul 4 10:25:11 EDT 2022
Le lun. 4 juil. 2022 à 16:18, Saku Ytti <saku at ytti.fi> a écrit :
>
> I don't believe Junos has tacacs command authorization.
it has. This sorta works, I've been able to allow some commands like
'clear network-access aaa subscriber username.*' and 'monitor
traffic'. The issue I have is with 'clear pppoe sessions pp0'.
When providing 'clear' to the user I can make it work, but I also have
to forbid all other clear commands I don't want.
foo at bar> show cli authorization
Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
Permissions:
clear -- Can clear learned network info
(...)
Individual command authorization:
Allow regular expression: (clear pppoe sessions pp0.*|clear
network-access aaa subscriber username.*|monitor traffic.*)
Deny regular expression: (request .*|file .*|save .*|clear
[a-o].*|clear [q-z].*|clear p[^p].*)
foo at bar> clear ?
Possible completions:
network-access Clear network-access related information
ppp Clear PPP information
pppoe Clear PPP over Ethernet information
And one can reset all pppoe sessions while I only allowed 'pppoe
session pp0.*' :
foo at bar> clear pppoe sessions ?
Possible completions:
<[Enter]> Execute this command
<interface> Name of PPPoE logical interface
login configuration for your information:
foo at bar> show configuration system login
class GEN-PROF-N {
idle-timeout 15;
}
user GEN-USR-N {
full-name "TACACS centralized command authorization";
uid 2006;
class GEN-PROF-N;
}
More information about the juniper-nsp
mailing list