[j-nsp] Tacacs command authorization not working as intended
Saku Ytti
saku at ytti.fi
Mon Jul 4 11:03:33 EDT 2022
I believe this is best you can do:
ytti at a03.labxtx03.us.bb-re0# show|display set |match deny
set system login class tacacs-user deny-commands "clear pppoe
sessions($| no-confirm$)"
ytti at a03.labxtx03.us.bb-re0> clear pppoe sessions ?
Possible completions:
<interface> Name of PPPoE logical interface
ytti at a03.labxtx03.us.bb-re0> clear pppoe sessions
You can't clear all, but you can clear any.
On Mon, 4 Jul 2022 at 17:43, Saku Ytti <saku at ytti.fi> wrote:
>
> I don't believe what you're doing is tacacs command authorization, that is junos is not asking the tacacs server if or not it can execute the command, something IOS and SROS can do, but which makes things like loading config very brutal (except SROS has way to skip authorization for config loads).
>
> You are shipping config to the router for its allow-commands/deny-commands. And I further believe behaviour you see is because there is distinction between key and values, and you cannot include values in it. Similar problem with 'apply-groups', because the parser doesn't know about values and you're just telling what exists in the parser tree and what does not.
>
>
>
> On Mon, 4 Jul 2022 at 17:25, Pierre Emeriaud <petrus.lt at gmail.com> wrote:
>>
>> Le lun. 4 juil. 2022 à 16:18, Saku Ytti <saku at ytti.fi> a écrit :
>> >
>> > I don't believe Junos has tacacs command authorization.
>>
>> it has. This sorta works, I've been able to allow some commands like
>> 'clear network-access aaa subscriber username.*' and 'monitor
>> traffic'. The issue I have is with 'clear pppoe sessions pp0'.
>>
>> When providing 'clear' to the user I can make it work, but I also have
>> to forbid all other clear commands I don't want.
>>
>> foo at bar> show cli authorization
>> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
>> Permissions:
>> clear -- Can clear learned network info
>> (...)
>> Individual command authorization:
>> Allow regular expression: (clear pppoe sessions pp0.*|clear
>> network-access aaa subscriber username.*|monitor traffic.*)
>> Deny regular expression: (request .*|file .*|save .*|clear
>> [a-o].*|clear [q-z].*|clear p[^p].*)
>>
>>
>> foo at bar> clear ?
>> Possible completions:
>> network-access Clear network-access related information
>> ppp Clear PPP information
>> pppoe Clear PPP over Ethernet information
>>
>> And one can reset all pppoe sessions while I only allowed 'pppoe
>> session pp0.*' :
>> foo at bar> clear pppoe sessions ?
>> Possible completions:
>> <[Enter]> Execute this command
>> <interface> Name of PPPoE logical interface
>>
>> login configuration for your information:
>> foo at bar> show configuration system login
>> class GEN-PROF-N {
>> idle-timeout 15;
>> }
>> user GEN-USR-N {
>> full-name "TACACS centralized command authorization";
>> uid 2006;
>> class GEN-PROF-N;
>> }
>
>
>
> --
> ++ytti
--
++ytti
More information about the juniper-nsp
mailing list