I don't believe what you're doing is tacacs command authorization, that is junos is not asking the tacacs server if or not it can execute the command, something IOS and SROS can do, but which makes things like loading config very brutal (except SROS has way to skip authorization for config loads).
You are shipping config to the router for its allow-commands/deny-commands. And I further believe behaviour you see is because there is distinction between key and values, and you cannot include values in it. Similar problem with 'apply-groups', because the parser doesn't know about values and you're just telling what exists in the parser tree and what does not. On Mon, 4 Jul 2022 at 17:25, Pierre Emeriaud <[email protected]> wrote: > Le lun. 4 juil. 2022 à 16:18, Saku Ytti <[email protected]> a écrit : > > > > I don't believe Junos has tacacs command authorization. > > it has. This sorta works, I've been able to allow some commands like > 'clear network-access aaa subscriber username.*' and 'monitor > traffic'. The issue I have is with 'clear pppoe sessions pp0'. > > When providing 'clear' to the user I can make it work, but I also have > to forbid all other clear commands I don't want. > > foo@bar> show cli authorization > Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N' > Permissions: > clear -- Can clear learned network info > (...) > Individual command authorization: > Allow regular expression: (clear pppoe sessions pp0.*|clear > network-access aaa subscriber username.*|monitor traffic.*) > Deny regular expression: (request .*|file .*|save .*|clear > [a-o].*|clear [q-z].*|clear p[^p].*) > > > foo@bar> clear ? > Possible completions: > network-access Clear network-access related information > ppp Clear PPP information > pppoe Clear PPP over Ethernet information > > And one can reset all pppoe sessions while I only allowed 'pppoe > session pp0.*' : > foo@bar> clear pppoe sessions ? > Possible completions: > <[Enter]> Execute this command > <interface> Name of PPPoE logical interface > > login configuration for your information: > foo@bar> show configuration system login > class GEN-PROF-N { > idle-timeout 15; > } > user GEN-USR-N { > full-name "TACACS centralized command authorization"; > uid 2006; > class GEN-PROF-N; > } > -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
