I don't believe Junos has tacacs command authorization.
You can add do allow/deny commands regexp in the user class to achieve the
same without introducing the RTT lag.
On Mon, 4 Jul 2022 at 15:52, Pierre Emeriaud via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:
> Hi
>
> i've been trying to authorize 'clear pppoe session pp0.*' for some of
> our users. They already have some allowed commands such as 'monitor
> traffic' and 'clear network-access aaa subscriber username' that
> works, but 'clear pppoe' is refused.
>
> foo@bar> clear ppp?
> No valid completions
>
> foo@bar> clear pppoe
> ^
> syntax error, expecting <command>.
>
>
> Here are their rights on the box. They don't have 'clear' permissions
> as I'd rather allow one command than refuse all the others.
>
> foo@bar> show cli authorization
> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
> Permissions:
> configure -- Can enter configuration mode
> interface -- Can view interface configuration
> network -- Can access the network
> routing -- Can view routing configuration
> trace -- Can view trace file settings
> trace-control-- Can modify trace file settings
> view -- Can view current values and statistics
> view-configuration-- Can view all configuration (not including secrets)
> Individual command authorization:
> Allow regular expression: (clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*|monitor traffic.*)
> Deny regular expression: (request .*|file .*|save .*|clear log .*)
> Allow configuration regular expression: (protocols pppoe
> traceoptions|system processes smg-service traceoptions|system
> processes general-authentication-service traceoptions|protocols
> ppp-service traceoptions|services l2tp traceoptions)
> Deny configuration regular expression: none
>
> And the tacacs configuration:
>
> match = @RouterBNG {
> # ReadOnlyDebug
> service = junos-exec {
> local-user-name = GEN-USR-N
> user-permissions = "configure interface network routing trace
> trace-control view view-configuration"
> deny-commands = "request .*|file .*|save .*|clear log .*"
> allow-commands = "clear pppoe sessions pp0.*|clear network-access
> aaa subscriber username.*|monitor traffic.*"
> allow-configuration = "(protocols pppoe traceoptions|system
> processes smg-service traceoptions|system processes
> general-authentication-service traceoptions|protocols ppp-service
> traceoptions|services l2tp traceoptions)"
> }
> }
>
> options I've tried:
> allow-commands = "(monitor traffic.*)|(clear pppoe sessions
> pp0\..*)|(clear network-access aaa subscriber username.*)"
> allow-commands = "monitor traffic.*|clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*"
> allow-commands = "monitor traffic|clear pppoe sessions pp0\..*|clear
> network-access aaa subscriber username"
> allow-commands = "clear pppoe sessions pp0.*|clear network-access aaa
> subscriber username.*|monitor traffic.*"
>
>
> Is there a way without providing 'clear' permission? 'clear
> network-access' works even without it...
>
> thanks,
> pierre
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
