I believe this is best you can do: [email protected]# show|display set |match deny set system login class tacacs-user deny-commands "clear pppoe sessions($| no-confirm$)"
[email protected]> clear pppoe sessions ? Possible completions: <interface> Name of PPPoE logical interface [email protected]> clear pppoe sessions You can't clear all, but you can clear any. On Mon, 4 Jul 2022 at 17:43, Saku Ytti <[email protected]> wrote: > > I don't believe what you're doing is tacacs command authorization, that is > junos is not asking the tacacs server if or not it can execute the command, > something IOS and SROS can do, but which makes things like loading config > very brutal (except SROS has way to skip authorization for config loads). > > You are shipping config to the router for its allow-commands/deny-commands. > And I further believe behaviour you see is because there is distinction > between key and values, and you cannot include values in it. Similar problem > with 'apply-groups', because the parser doesn't know about values and you're > just telling what exists in the parser tree and what does not. > > > > On Mon, 4 Jul 2022 at 17:25, Pierre Emeriaud <[email protected]> wrote: >> >> Le lun. 4 juil. 2022 à 16:18, Saku Ytti <[email protected]> a écrit : >> > >> > I don't believe Junos has tacacs command authorization. >> >> it has. This sorta works, I've been able to allow some commands like >> 'clear network-access aaa subscriber username.*' and 'monitor >> traffic'. The issue I have is with 'clear pppoe sessions pp0'. >> >> When providing 'clear' to the user I can make it work, but I also have >> to forbid all other clear commands I don't want. >> >> foo@bar> show cli authorization >> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N' >> Permissions: >> clear -- Can clear learned network info >> (...) >> Individual command authorization: >> Allow regular expression: (clear pppoe sessions pp0.*|clear >> network-access aaa subscriber username.*|monitor traffic.*) >> Deny regular expression: (request .*|file .*|save .*|clear >> [a-o].*|clear [q-z].*|clear p[^p].*) >> >> >> foo@bar> clear ? >> Possible completions: >> network-access Clear network-access related information >> ppp Clear PPP information >> pppoe Clear PPP over Ethernet information >> >> And one can reset all pppoe sessions while I only allowed 'pppoe >> session pp0.*' : >> foo@bar> clear pppoe sessions ? >> Possible completions: >> <[Enter]> Execute this command >> <interface> Name of PPPoE logical interface >> >> login configuration for your information: >> foo@bar> show configuration system login >> class GEN-PROF-N { >> idle-timeout 15; >> } >> user GEN-USR-N { >> full-name "TACACS centralized command authorization"; >> uid 2006; >> class GEN-PROF-N; >> } > > > > -- > ++ytti -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
