When I tested this a while back I could not get the "allow-commands" attribute to work. The deny-commands attribute does work however. So our ACS shell-profile read only group we had to start with a junos login with a super-user class then use the "deny-commands" attribute to strip the access ...request, restart, configure, etc.
Thanks, Eduardo Eduardo Barrios, EIT, JNCIP-SP Telecommunications Specialist Lower Colorado River Authority | 3505 Montopolis Dr. | Austin, TX 78744 -----Original Message----- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Sukhjit Hayre Sent: Sunday, April 12, 2015 7:10 PM To: juniper-nsp@puck.nether.net Subject: [External] [j-nsp] Juniper authorization with tacacs+ hi all, having been through multiple threads i.e http://www.gossamer-threads.com/lists/nsp/juniper/9764#9764 I cannot find a way for Cisco ACS and SRX cluster to allow an account to have certain privileges Cisco advise they support the following Juniper attributes for TACACS+: allow-commands Optional "(request system) | (show rip neighbor)" allow-configuration Optional local-user-name Optional sales deny-commands Optional "<^clear" deny-configuration Optional http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html Now I can get the local-user-name attribute assigned and agreed between ACS 5.6 and Junos as I can log-in ok But I'm trying to restrict an account to only certain commands and would rather do this on ACS 5.6 vs the local device login profile here is the config on the device: login { user junosadmin { uid 100; class super-user; } user junosro { uid 101; class unauthorized; so I want junosro to be permitted to be able to run "show" commands I've tried creating a custom class locally with increased rights but need to be able to control this on ACS I've tried on ACS adding these into policy elements>authorizations & permissions>device administration>shell profiles>account>custom attributes but only the "local-user-name" attribute seems to work for authentication purposes Cisco advise "The values of the allow-commands, allow-configuration, deny-commands, and deny-configuration attributes can be entered in regex format. The values that these attributes are set to are in addition to the operational/configuration mode commands authorized by the user's login class permissions bits." without getting into a debate whether this is an ACS or Juniper problem, has anyone encountered the same? thanks in advance _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp