Hello, I'm trying to set up command authorization via tacacs on MX and PTX series. Tacacs is provided by Cisco ACS.
I fully understand that Juniper doesn't authorize the commands one by one, and instead it relies on classes, permissions, and strings/regexps of allowed or denied commands, and this blob of permissions gets passed at authentication time. So far, I've set up 2 users on the router side, one with slightly more than bare read-only, and the other with a customized "operator" class. I can pass additional permissions via tacacs with the "user-permissions" parameter, and I can deny commands with "deny-commands". This gives me most of what I'd need, I don't really want to set up a dozen different local users matching our user groups, as this seems to counter the purpose of having a central tacacs. But I have hit some snags: I have not found a way to prevent a user from accidentally delete entire bgp config, but still allowing him to operate on single neighbors. Or other similar situation involving top level configuration vs details inside each block. I have not really figured out how to use "deny-commands-regexp". I have tried with various combinations of spaces, quotes, etc. Either it doesn't take it, or I end up with a long string of commands with no separation. This prevents me to deny commands with only certain parameters, which is something I'd need to do. I don't seem to be able to use the "allow-" version of the parameters: if I don't give the permission I will not be allowed the individual command, and if I give the permission I get allowed all the commands belonging to that permission. I'd appreciate if someone who has gone through this could share some tips. Thanks Pf -- Pierfrancesco Caci _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
