Mailing List Archive

Using allow-commandsN in TACACS
Hey there,

Overall, I’m trying to allow specific commands to be run by a user through allow-commandsN attributes in tacplus, but I’m having a hard time getting the CLI to execute the commands, even though it seems to think that the user is authorized to do so.

What I’m after is to allow the user to execute this only:

"show route protocol bgp table <vrf>.inet.0 .*"
"show route protocol bgp table <vrf>.inet6.0 .*"
"ping routing-instance <vrf> .*"
"traceroute routing-instance <vrf> .*”

But that doesn’t work. Fine.

I’ve distilled the command set down to a single one to try to keep things simple:

#tacplus.conf
user = lg {
# XR
service = exec {
optional task = "#root-system,rwx:basic-services,r:bgp"
}
cmd = "ping" {
permit .*
}
cmd = "show" {
permit "bgp .*"
}
cmd = "traceroute" {
permit .*
}
# JunOS
service = junos-exec {
local-user-name = SU
allow-commands1 = "show route protocol bgp .*"
allow-commands99 = "exit"
allow-commands98 = "show cli .*"
deny-commands = ".*"
}
}

CLI authorization seems to be in line with the tacplus

lg@lab> show cli authorization
Current user: 'SU' login: 'lg' class 'super-user'
Permissions:
access -- Can view access configuration
access-control-- Can modify access configuration
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
maintenance -- Can become the super-user
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
rollback -- Can rollback to previous configurations
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
security -- Can view security configuration
security-control-- Can modify security configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
view-configuration-- Can view all configuration (not including secrets)
all-control -- Can modify any configuration
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
flow-tap-operation-- Can tap flows
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring configuration
unified-edge-- Can view unified edge configuration
unified-edge-control-- Can modify unified edge configuration
Individual command authorization:
Allow regular expression: (show route protocol bgp .*|exit|show cli .*)
Deny regular expression: (.*)
Allow configuration regular expression: none
Deny configuration regular expression: none

lg@lab>

show route doesn’t complete, despite the regex being allowed:

lg@lab> show route
^
syntax error, expecting <command>.

lg@lab>

It seems to be fine with "show cli .*" and “exit” though:

lg@lab> show ?
Possible completions:
cli Show command-line interface settings
lg@lab> exit

Connection to 192.168.57.22 closed.
BlackBox:~ jlixfeld$

So then I try to adjust allow-commands1 on TACACS:

allow-commands1 = "show route protocol .*”

lg@lab> show cli authorization

Individual command authorization:
Allow regular expression: (show route protocol .*|exit|show cli .*)
Deny regular expression: (.*)
Allow configuration regular expression: none
Deny configuration regular expression: none

lg@lab> show ?
Possible completions:
cli Show command-line interface settings
route Show routing table information
lg@lab> show route?
Possible completions:
route Show routing table information
lg@lab> show route ?
Possible completions:
protocol Name of protocol that is source for entries
lg@lab> show route protocol ?
Possible completions:
access Access route
access-internal Access-internal route
aggregate Locally generated aggregate route
anchor Anchor route
arp Prefixes learned via ARP
bgp Border Gateway Protocol
bgp-ls-epe BGP egress peering using BGP-LS
bgp-static BGP static route
ccc Circuit cross-connect
direct Directly connected routes
esis End System-to-Intermediate System
evpn EVPN
flow Locally defined flow route
frr Prefixes created by Host (Direct route) Fast reroute
isis Intermediate System-to-Intermediate System
l2circuit Layer 2 circuit
l2vpn Layer 2 virtual private network
ldp Label Distribution Protocol
local Local system addresses
mpls Multiprotocol Label Switching
msdp Multicast Source Discovery Protocol
multipath Locally generated Multipath route
mvpn BGP-MVPN Protocol
ospf Open Shortest Path First
ospf2 Open Shortest Path First Version 2
ospf3 Open Shortest Path First Version 3
pim Protocol Independent Multicast
rift Routing in Fat Trees Protocol
rip Routing Information Protocol
ripng Routing Information Protocol for IPv6
rsvp Resource Reservation Protocol
rtarget Local route target VPN membership
spring-te SPRING Traffic-Engineered
static Statically defined prefixes
tunnel Dynamic tunnel
vpls Virtual Private LAN Service
vpn Layer 3 virtual private network
lg@lab> show route protocol bgp ?
Possible completions:
<[Enter]> Execute this command
lg@lab> show route protocol bgp
error: permission denied for route: bgp
error: permission denied

lg@lab>

This is on an MX, 18.4R1.8.

What am I missing here?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp