Hi Ivan
The goal is for ACS to be able to control this otherwise I can argue what's the point in using ACS at all? There are attributes which are supposed to be working for which I don't understand technically why they are not i.e allowed-commands (check the link) > On 14 Apr 2015, at 10:49, Ivan Ivanov <[email protected]> wrote: > > Hi Sukhjit, > > Why don't you use local template accounts to accomplish that? > > http://www.juniper.net/documentation/en_US/junos13.3/topics/task/configuration/authentication-user-local-template-account-configuring.html > > ACS should be able to push 'local-username' attribute via tacacs+. > > HTH, > Ivan, > >> On Mon, Apr 13, 2015 at 11:58 PM, Sukhjit Hayre >> <[email protected]> wrote: >> >> >> yeah I've used this too and depending on the local profile it shows what I >> expect it too, but what it doesn't show is minus the ACS attributes if at >> all I would see that here... >> >> I think a deeper packet inspection can identify what the messages are >> saying, will try to do that at some point >> >> >> >> > On 13 Apr 2015, at 23:42, Chris Kawchuk <[email protected]> wrote: >> > >> > Show cli authorization. Should show you the current login credentials and >> > such. >> > >> >> On 14 Apr 2015, at 8:23 am, Sukhjit Hayre <[email protected]> >> >> wrote: >> >> >> >> hi Chris >> >> >> >> thanks for the reply, actually I did not see any user file in /var/tmp >> >> whilst logged-in im running vSRX firefly 12.1X47-D10.4 >> >> >> >> On Mon, Apr 13, 2015 at 4:07 PM, Chris Morrow <[email protected]> >> >> wrote: >> >> >> >>> >> >>> >> >>>> On 04/13/2015 11:01 AM, Eduardo Barrios wrote: >> >>>> When I tested this a while back I could not get the "allow-commands" >> >>>> attribute to work. The deny-commands attribute does work however. So >> >>>> our ACS shell-profile read only group we had to start with a junos >> >>>> login with a super-user class then use the "deny-commands" attribute >> >>>> to strip the access ...request, restart, configure, etc. >> >>> >> >>> it might help you to look in /var/tmp on the juniper when the affected >> >>> user is logged in.. there will be a file named per the user's login PID >> >>> which has their access requirements outlined. You can probably reverse >> >>> engineer the right answer from that data. >> >>> _______________________________________________ >> >>> juniper-nsp mailing list [email protected] >> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> _______________________________________________ >> >> juniper-nsp mailing list [email protected] >> >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> _______________________________________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > -- > Best Regards! > > Ivan Ivanov _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
