[j-nsp] Tacacs command authorization not working as intended

Saku Ytti saku at ytti.fi
Mon Jul 4 10:43:03 EDT 2022


I don't believe what you're doing is tacacs command authorization, that is
junos is not asking the tacacs server if or not it can execute the command,
something IOS and SROS can do, but which makes things like loading config
very brutal (except SROS has way to skip authorization for config loads).

You are shipping config to the router for its allow-commands/deny-commands.
And I further believe behaviour you see is because there is distinction
between key and values, and you cannot include values in it. Similar
problem with 'apply-groups', because the parser doesn't know about values
and you're just telling what exists in the parser tree and what does not.



On Mon, 4 Jul 2022 at 17:25, Pierre Emeriaud <petrus.lt at gmail.com> wrote:

> Le lun. 4 juil. 2022 à 16:18, Saku Ytti <saku at ytti.fi> a écrit :
> >
> > I don't believe Junos has tacacs command authorization.
>
> it has. This sorta works, I've been able to allow some commands like
> 'clear network-access aaa subscriber username.*' and 'monitor
> traffic'. The issue I have is with 'clear pppoe sessions pp0'.
>
> When providing 'clear' to the user I can make it work, but I also have
> to forbid all other clear commands I don't want.
>
> foo at bar> show cli authorization
> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
> Permissions:
>     clear       -- Can clear learned network info
> (...)
> Individual command authorization:
>     Allow regular expression: (clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*|monitor traffic.*)
>     Deny regular expression: (request .*|file .*|save .*|clear
> [a-o].*|clear [q-z].*|clear p[^p].*)
>
>
> foo at bar> clear ?
> Possible completions:
>   network-access       Clear network-access related information
>   ppp                  Clear PPP information
>   pppoe                Clear PPP over Ethernet information
>
> And one can reset all pppoe sessions while I only allowed 'pppoe
> session pp0.*' :
> foo at bar> clear pppoe sessions ?
> Possible completions:
>   <[Enter]>            Execute this command
>   <interface>          Name of PPPoE logical interface
>
> login configuration for your information:
> foo at bar> show configuration system login
> class GEN-PROF-N {
>     idle-timeout 15;
> }
> user GEN-USR-N {
>     full-name "TACACS centralized command authorization";
>     uid 2006;
>     class GEN-PROF-N;
> }
>


-- 
  ++ytti


More information about the juniper-nsp mailing list