I don't believe Junos has tacacs command authorization. You can add do allow/deny commands regexp in the user class to achieve the same without introducing the RTT lag.
On Mon, 4 Jul 2022 at 15:52, Pierre Emeriaud via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > Hi > > i've been trying to authorize 'clear pppoe session pp0.*' for some of > our users. They already have some allowed commands such as 'monitor > traffic' and 'clear network-access aaa subscriber username' that > works, but 'clear pppoe' is refused. > > foo@bar> clear ppp? > No valid completions > > foo@bar> clear pppoe > ^ > syntax error, expecting <command>. > > > Here are their rights on the box. They don't have 'clear' permissions > as I'd rather allow one command than refuse all the others. > > foo@bar> show cli authorization > Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N' > Permissions: > configure -- Can enter configuration mode > interface -- Can view interface configuration > network -- Can access the network > routing -- Can view routing configuration > trace -- Can view trace file settings > trace-control-- Can modify trace file settings > view -- Can view current values and statistics > view-configuration-- Can view all configuration (not including secrets) > Individual command authorization: > Allow regular expression: (clear pppoe sessions pp0.*|clear > network-access aaa subscriber username.*|monitor traffic.*) > Deny regular expression: (request .*|file .*|save .*|clear log .*) > Allow configuration regular expression: (protocols pppoe > traceoptions|system processes smg-service traceoptions|system > processes general-authentication-service traceoptions|protocols > ppp-service traceoptions|services l2tp traceoptions) > Deny configuration regular expression: none > > And the tacacs configuration: > > match = @RouterBNG { > # ReadOnlyDebug > service = junos-exec { > local-user-name = GEN-USR-N > user-permissions = "configure interface network routing trace > trace-control view view-configuration" > deny-commands = "request .*|file .*|save .*|clear log .*" > allow-commands = "clear pppoe sessions pp0.*|clear network-access > aaa subscriber username.*|monitor traffic.*" > allow-configuration = "(protocols pppoe traceoptions|system > processes smg-service traceoptions|system processes > general-authentication-service traceoptions|protocols ppp-service > traceoptions|services l2tp traceoptions)" > } > } > > options I've tried: > allow-commands = "(monitor traffic.*)|(clear pppoe sessions > pp0\..*)|(clear network-access aaa subscriber username.*)" > allow-commands = "monitor traffic.*|clear pppoe sessions pp0.*|clear > network-access aaa subscriber username.*" > allow-commands = "monitor traffic|clear pppoe sessions pp0\..*|clear > network-access aaa subscriber username" > allow-commands = "clear pppoe sessions pp0.*|clear network-access aaa > subscriber username.*|monitor traffic.*" > > > Is there a way without providing 'clear' permission? 'clear > network-access' works even without it... > > thanks, > pierre > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp