Hey there, Overall, I’m trying to allow specific commands to be run by a user through allow-commandsN attributes in tacplus, but I’m having a hard time getting the CLI to execute the commands, even though it seems to think that the user is authorized to do so.
What I’m after is to allow the user to execute this only: "show route protocol bgp table <vrf>.inet.0 .*" "show route protocol bgp table <vrf>.inet6.0 .*" "ping routing-instance <vrf> .*" "traceroute routing-instance <vrf> .*” But that doesn’t work. Fine. I’ve distilled the command set down to a single one to try to keep things simple: #tacplus.conf user = lg { # XR service = exec { optional task = "#root-system,rwx:basic-services,r:bgp" } cmd = "ping" { permit .* } cmd = "show" { permit "bgp .*" } cmd = "traceroute" { permit .* } # JunOS service = junos-exec { local-user-name = SU allow-commands1 = "show route protocol bgp .*" allow-commands99 = "exit" allow-commands98 = "show cli .*" deny-commands = ".*" } } CLI authorization seems to be in line with the tacplus lg@lab> show cli authorization Current user: 'SU' login: 'lg' class 'super-user' Permissions: access -- Can view access configuration access-control-- Can modify access configuration admin -- Can view user accounts admin-control-- Can modify user accounts clear -- Can clear learned network info configure -- Can enter configuration mode control -- Can modify any config edit -- Can edit full files field -- Can use field debug commands firewall -- Can view firewall configuration firewall-control-- Can modify firewall configuration floppy -- Can read and write the floppy interface -- Can view interface configuration interface-control-- Can modify interface configuration maintenance -- Can become the super-user network -- Can access the network reset -- Can reset/restart interfaces and daemons rollback -- Can rollback to previous configurations routing -- Can view routing configuration routing-control-- Can modify routing configuration secret -- Can view secret statements secret-control-- Can modify secret statements security -- Can view security configuration security-control-- Can modify security configuration shell -- Can start a local shell snmp -- Can view SNMP configuration snmp-control-- Can modify SNMP configuration storage -- Can view fibre channel storage protocol configuration storage-control-- Can modify fibre channel storage protocol configuration system -- Can view system configuration system-control-- Can modify system configuration trace -- Can view trace file settings trace-control-- Can modify trace file settings view -- Can view current values and statistics view-configuration-- Can view all configuration (not including secrets) all-control -- Can modify any configuration flow-tap -- Can view flow-tap configuration flow-tap-control-- Can modify flow-tap configuration flow-tap-operation-- Can tap flows idp-profiler-operation-- Can Profiler data pgcp-session-mirroring-- Can view pgcp session mirroring configuration pgcp-session-mirroring-control-- Can modify pgcp session mirroring configuration unified-edge-- Can view unified edge configuration unified-edge-control-- Can modify unified edge configuration Individual command authorization: Allow regular expression: (show route protocol bgp .*|exit|show cli .*) Deny regular expression: (.*) Allow configuration regular expression: none Deny configuration regular expression: none lg@lab> show route doesn’t complete, despite the regex being allowed: lg@lab> show route ^ syntax error, expecting <command>. lg@lab> It seems to be fine with "show cli .*" and “exit” though: lg@lab> show ? Possible completions: cli Show command-line interface settings lg@lab> exit Connection to 192.168.57.22 closed. BlackBox:~ jlixfeld$ So then I try to adjust allow-commands1 on TACACS: allow-commands1 = "show route protocol .*” lg@lab> show cli authorization … Individual command authorization: Allow regular expression: (show route protocol .*|exit|show cli .*) Deny regular expression: (.*) Allow configuration regular expression: none Deny configuration regular expression: none lg@lab> show ? Possible completions: cli Show command-line interface settings route Show routing table information lg@lab> show route? Possible completions: route Show routing table information lg@lab> show route ? Possible completions: protocol Name of protocol that is source for entries lg@lab> show route protocol ? Possible completions: access Access route access-internal Access-internal route aggregate Locally generated aggregate route anchor Anchor route arp Prefixes learned via ARP bgp Border Gateway Protocol bgp-ls-epe BGP egress peering using BGP-LS bgp-static BGP static route ccc Circuit cross-connect direct Directly connected routes esis End System-to-Intermediate System evpn EVPN flow Locally defined flow route frr Prefixes created by Host (Direct route) Fast reroute isis Intermediate System-to-Intermediate System l2circuit Layer 2 circuit l2vpn Layer 2 virtual private network ldp Label Distribution Protocol local Local system addresses mpls Multiprotocol Label Switching msdp Multicast Source Discovery Protocol multipath Locally generated Multipath route mvpn BGP-MVPN Protocol ospf Open Shortest Path First ospf2 Open Shortest Path First Version 2 ospf3 Open Shortest Path First Version 3 pim Protocol Independent Multicast rift Routing in Fat Trees Protocol rip Routing Information Protocol ripng Routing Information Protocol for IPv6 rsvp Resource Reservation Protocol rtarget Local route target VPN membership spring-te SPRING Traffic-Engineered static Statically defined prefixes tunnel Dynamic tunnel vpls Virtual Private LAN Service vpn Layer 3 virtual private network lg@lab> show route protocol bgp ? Possible completions: <[Enter]> Execute this command lg@lab> show route protocol bgp error: permission denied for route: bgp error: permission denied lg@lab> This is on an MX, 18.4R1.8. What am I missing here? _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp