hey Eduardo thanks for you reply, I tried configuring super-user locally and deny-commands and even deny-configuration with the regex "deny" for the AV on ACS in the previous described location and it's a no go, im running vSRX firefly 12.1X47-D10.4
can you help on the exact AV ? thanks in advance On Mon, Apr 13, 2015 at 4:01 PM, Eduardo Barrios <eduardo.barr...@lcra.org> wrote: > When I tested this a while back I could not get the "allow-commands" > attribute to work. The deny-commands attribute does work however. So our > ACS shell-profile read only group we had to start with a junos login with a > super-user class then use the "deny-commands" attribute to strip the access > ...request, restart, configure, etc. > > Thanks, > Eduardo > > Eduardo Barrios, EIT, JNCIP-SP > Telecommunications Specialist > Lower Colorado River Authority | 3505 Montopolis Dr. | Austin, TX 78744 > > > -----Original Message----- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf > Of Sukhjit Hayre > Sent: Sunday, April 12, 2015 7:10 PM > To: juniper-nsp@puck.nether.net > Subject: [External] [j-nsp] Juniper authorization with tacacs+ > > hi all, > > having been through multiple threads i.e > > http://www.gossamer-threads.com/lists/nsp/juniper/9764#9764 > > I cannot find a way for Cisco ACS and SRX cluster to allow an account to > have certain privileges > > Cisco advise they support the following Juniper attributes for TACACS+: > > allow-commands > > Optional > > "(request system) | (show rip neighbor)" > > allow-configuration > > Optional > > local-user-name > > Optional > > sales > > deny-commands > > Optional > > "<^clear" > > deny-configuration > > Optional > > http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html > > > Now I can get the local-user-name attribute assigned and agreed between ACS > 5.6 and Junos as I can log-in ok > > But I'm trying to restrict an account to only certain commands and would > rather do this on ACS 5.6 vs the local device login profile > > here is the config on the device: > > login { > user junosadmin { > uid 100; > class super-user; > } > user junosro { > uid 101; > class unauthorized; > > so I want junosro to be permitted to be able to run "show" commands > > I've tried creating a custom class locally with increased rights but need > to be able to control this on ACS > > I've tried on ACS adding these into policy elements>authorizations & > permissions>device administration>shell profiles>account>custom attributes > but only the "local-user-name" attribute seems to work for authentication > purposes > > Cisco advise "The values of the allow-commands, allow-configuration, > deny-commands, and deny-configuration attributes can be entered in regex > format. The values that these attributes are set to are in addition to the > operational/configuration mode commands authorized by the user's login > class permissions bits." > > without getting into a debate whether this is an ACS or Juniper problem, > has anyone encountered the same? > > thanks in advance > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp