Mailing List Archive

Tacacs command authorization not working as intended
Hi

i've been trying to authorize 'clear pppoe session pp0.*' for some of
our users. They already have some allowed commands such as 'monitor
traffic' and 'clear network-access aaa subscriber username' that
works, but 'clear pppoe' is refused.

foo@bar> clear ppp?
No valid completions

foo@bar> clear pppoe
^
syntax error, expecting <command>.


Here are their rights on the box. They don't have 'clear' permissions
as I'd rather allow one command than refuse all the others.

foo@bar> show cli authorization
Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
Permissions:
configure -- Can enter configuration mode
interface -- Can view interface configuration
network -- Can access the network
routing -- Can view routing configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
view-configuration-- Can view all configuration (not including secrets)
Individual command authorization:
Allow regular expression: (clear pppoe sessions pp0.*|clear
network-access aaa subscriber username.*|monitor traffic.*)
Deny regular expression: (request .*|file .*|save .*|clear log .*)
Allow configuration regular expression: (protocols pppoe
traceoptions|system processes smg-service traceoptions|system
processes general-authentication-service traceoptions|protocols
ppp-service traceoptions|services l2tp traceoptions)
Deny configuration regular expression: none

And the tacacs configuration:

match = @RouterBNG {
# ReadOnlyDebug
service = junos-exec {
local-user-name = GEN-USR-N
user-permissions = "configure interface network routing trace
trace-control view view-configuration"
deny-commands = "request .*|file .*|save .*|clear log .*"
allow-commands = "clear pppoe sessions pp0.*|clear network-access
aaa subscriber username.*|monitor traffic.*"
allow-configuration = "(protocols pppoe traceoptions|system
processes smg-service traceoptions|system processes
general-authentication-service traceoptions|protocols ppp-service
traceoptions|services l2tp traceoptions)"
}
}

options I've tried:
allow-commands = "(monitor traffic.*)|(clear pppoe sessions
pp0\..*)|(clear network-access aaa subscriber username.*)"
allow-commands = "monitor traffic.*|clear pppoe sessions pp0.*|clear
network-access aaa subscriber username.*"
allow-commands = "monitor traffic|clear pppoe sessions pp0\..*|clear
network-access aaa subscriber username"
allow-commands = "clear pppoe sessions pp0.*|clear network-access aaa
subscriber username.*|monitor traffic.*"


Is there a way without providing 'clear' permission? 'clear
network-access' works even without it...

thanks,
pierre
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Tacacs command authorization not working as intended [ In reply to ]
I don't believe Junos has tacacs command authorization.

You can add do allow/deny commands regexp in the user class to achieve the
same without introducing the RTT lag.

On Mon, 4 Jul 2022 at 15:52, Pierre Emeriaud via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

> Hi
>
> i've been trying to authorize 'clear pppoe session pp0.*' for some of
> our users. They already have some allowed commands such as 'monitor
> traffic' and 'clear network-access aaa subscriber username' that
> works, but 'clear pppoe' is refused.
>
> foo@bar> clear ppp?
> No valid completions
>
> foo@bar> clear pppoe
> ^
> syntax error, expecting <command>.
>
>
> Here are their rights on the box. They don't have 'clear' permissions
> as I'd rather allow one command than refuse all the others.
>
> foo@bar> show cli authorization
> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
> Permissions:
> configure -- Can enter configuration mode
> interface -- Can view interface configuration
> network -- Can access the network
> routing -- Can view routing configuration
> trace -- Can view trace file settings
> trace-control-- Can modify trace file settings
> view -- Can view current values and statistics
> view-configuration-- Can view all configuration (not including secrets)
> Individual command authorization:
> Allow regular expression: (clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*|monitor traffic.*)
> Deny regular expression: (request .*|file .*|save .*|clear log .*)
> Allow configuration regular expression: (protocols pppoe
> traceoptions|system processes smg-service traceoptions|system
> processes general-authentication-service traceoptions|protocols
> ppp-service traceoptions|services l2tp traceoptions)
> Deny configuration regular expression: none
>
> And the tacacs configuration:
>
> match = @RouterBNG {
> # ReadOnlyDebug
> service = junos-exec {
> local-user-name = GEN-USR-N
> user-permissions = "configure interface network routing trace
> trace-control view view-configuration"
> deny-commands = "request .*|file .*|save .*|clear log .*"
> allow-commands = "clear pppoe sessions pp0.*|clear network-access
> aaa subscriber username.*|monitor traffic.*"
> allow-configuration = "(protocols pppoe traceoptions|system
> processes smg-service traceoptions|system processes
> general-authentication-service traceoptions|protocols ppp-service
> traceoptions|services l2tp traceoptions)"
> }
> }
>
> options I've tried:
> allow-commands = "(monitor traffic.*)|(clear pppoe sessions
> pp0\..*)|(clear network-access aaa subscriber username.*)"
> allow-commands = "monitor traffic.*|clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*"
> allow-commands = "monitor traffic|clear pppoe sessions pp0\..*|clear
> network-access aaa subscriber username"
> allow-commands = "clear pppoe sessions pp0.*|clear network-access aaa
> subscriber username.*|monitor traffic.*"
>
>
> Is there a way without providing 'clear' permission? 'clear
> network-access' works even without it...
>
> thanks,
> pierre
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Tacacs command authorization not working as intended [ In reply to ]
Le lun. 4 juil. 2022 à 16:18, Saku Ytti <saku@ytti.fi> a écrit :
>
> I don't believe Junos has tacacs command authorization.

it has. This sorta works, I've been able to allow some commands like
'clear network-access aaa subscriber username.*' and 'monitor
traffic'. The issue I have is with 'clear pppoe sessions pp0'.

When providing 'clear' to the user I can make it work, but I also have
to forbid all other clear commands I don't want.

foo@bar> show cli authorization
Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
Permissions:
clear -- Can clear learned network info
(...)
Individual command authorization:
Allow regular expression: (clear pppoe sessions pp0.*|clear
network-access aaa subscriber username.*|monitor traffic.*)
Deny regular expression: (request .*|file .*|save .*|clear
[a-o].*|clear [q-z].*|clear p[^p].*)


foo@bar> clear ?
Possible completions:
network-access Clear network-access related information
ppp Clear PPP information
pppoe Clear PPP over Ethernet information

And one can reset all pppoe sessions while I only allowed 'pppoe
session pp0.*' :
foo@bar> clear pppoe sessions ?
Possible completions:
<[Enter]> Execute this command
<interface> Name of PPPoE logical interface

login configuration for your information:
foo@bar> show configuration system login
class GEN-PROF-N {
idle-timeout 15;
}
user GEN-USR-N {
full-name "TACACS centralized command authorization";
uid 2006;
class GEN-PROF-N;
}
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Tacacs command authorization not working as intended [ In reply to ]
I don't believe what you're doing is tacacs command authorization, that is
junos is not asking the tacacs server if or not it can execute the command,
something IOS and SROS can do, but which makes things like loading config
very brutal (except SROS has way to skip authorization for config loads).

You are shipping config to the router for its allow-commands/deny-commands.
And I further believe behaviour you see is because there is distinction
between key and values, and you cannot include values in it. Similar
problem with 'apply-groups', because the parser doesn't know about values
and you're just telling what exists in the parser tree and what does not.



On Mon, 4 Jul 2022 at 17:25, Pierre Emeriaud <petrus.lt@gmail.com> wrote:

> Le lun. 4 juil. 2022 à 16:18, Saku Ytti <saku@ytti.fi> a écrit :
> >
> > I don't believe Junos has tacacs command authorization.
>
> it has. This sorta works, I've been able to allow some commands like
> 'clear network-access aaa subscriber username.*' and 'monitor
> traffic'. The issue I have is with 'clear pppoe sessions pp0'.
>
> When providing 'clear' to the user I can make it work, but I also have
> to forbid all other clear commands I don't want.
>
> foo@bar> show cli authorization
> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
> Permissions:
> clear -- Can clear learned network info
> (...)
> Individual command authorization:
> Allow regular expression: (clear pppoe sessions pp0.*|clear
> network-access aaa subscriber username.*|monitor traffic.*)
> Deny regular expression: (request .*|file .*|save .*|clear
> [a-o].*|clear [q-z].*|clear p[^p].*)
>
>
> foo@bar> clear ?
> Possible completions:
> network-access Clear network-access related information
> ppp Clear PPP information
> pppoe Clear PPP over Ethernet information
>
> And one can reset all pppoe sessions while I only allowed 'pppoe
> session pp0.*' :
> foo@bar> clear pppoe sessions ?
> Possible completions:
> <[Enter]> Execute this command
> <interface> Name of PPPoE logical interface
>
> login configuration for your information:
> foo@bar> show configuration system login
> class GEN-PROF-N {
> idle-timeout 15;
> }
> user GEN-USR-N {
> full-name "TACACS centralized command authorization";
> uid 2006;
> class GEN-PROF-N;
> }
>


--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Tacacs command authorization not working as intended [ In reply to ]
I believe this is best you can do:

ytti@a03.labxtx03.us.bb-re0# show|display set |match deny
set system login class tacacs-user deny-commands "clear pppoe
sessions($| no-confirm$)"

ytti@a03.labxtx03.us.bb-re0> clear pppoe sessions ?
Possible completions:
<interface> Name of PPPoE logical interface
ytti@a03.labxtx03.us.bb-re0> clear pppoe sessions

You can't clear all, but you can clear any.


On Mon, 4 Jul 2022 at 17:43, Saku Ytti <saku@ytti.fi> wrote:
>
> I don't believe what you're doing is tacacs command authorization, that is junos is not asking the tacacs server if or not it can execute the command, something IOS and SROS can do, but which makes things like loading config very brutal (except SROS has way to skip authorization for config loads).
>
> You are shipping config to the router for its allow-commands/deny-commands. And I further believe behaviour you see is because there is distinction between key and values, and you cannot include values in it. Similar problem with 'apply-groups', because the parser doesn't know about values and you're just telling what exists in the parser tree and what does not.
>
>
>
> On Mon, 4 Jul 2022 at 17:25, Pierre Emeriaud <petrus.lt@gmail.com> wrote:
>>
>> Le lun. 4 juil. 2022 à 16:18, Saku Ytti <saku@ytti.fi> a écrit :
>> >
>> > I don't believe Junos has tacacs command authorization.
>>
>> it has. This sorta works, I've been able to allow some commands like
>> 'clear network-access aaa subscriber username.*' and 'monitor
>> traffic'. The issue I have is with 'clear pppoe sessions pp0'.
>>
>> When providing 'clear' to the user I can make it work, but I also have
>> to forbid all other clear commands I don't want.
>>
>> foo@bar> show cli authorization
>> Current user: 'GEN-USR-N' login: 'foo' class 'GEN-PROF-N'
>> Permissions:
>> clear -- Can clear learned network info
>> (...)
>> Individual command authorization:
>> Allow regular expression: (clear pppoe sessions pp0.*|clear
>> network-access aaa subscriber username.*|monitor traffic.*)
>> Deny regular expression: (request .*|file .*|save .*|clear
>> [a-o].*|clear [q-z].*|clear p[^p].*)
>>
>>
>> foo@bar> clear ?
>> Possible completions:
>> network-access Clear network-access related information
>> ppp Clear PPP information
>> pppoe Clear PPP over Ethernet information
>>
>> And one can reset all pppoe sessions while I only allowed 'pppoe
>> session pp0.*' :
>> foo@bar> clear pppoe sessions ?
>> Possible completions:
>> <[Enter]> Execute this command
>> <interface> Name of PPPoE logical interface
>>
>> login configuration for your information:
>> foo@bar> show configuration system login
>> class GEN-PROF-N {
>> idle-timeout 15;
>> }
>> user GEN-USR-N {
>> full-name "TACACS centralized command authorization";
>> uid 2006;
>> class GEN-PROF-N;
>> }
>
>
>
> --
> ++ytti



--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Tacacs command authorization not working as intended [ In reply to ]
Le lun. 4 juil. 2022 à 16:43, Saku Ytti <saku@ytti.fi> a écrit :
>
> I don't believe what you're doing is tacacs command authorization, that is junos is not asking the tacacs server if or not it can execute the command, something IOS and SROS can do, but which makes things like loading config very brutal (except SROS has way to skip authorization for config loads).
>
> You are shipping config to the router for its allow-commands/deny-commands. And I further believe behaviour you see is because there is distinction between key and values, and you cannot include values in it. Similar problem with 'apply-groups', because the parser doesn't know about values and you're just telling what exists in the parser tree and what does not.

You're absolutely right. This is imho an acceptable tradeoff if
everything works.

Le lun. 4 juil. 2022 à 17:03, Saku Ytti <saku@ytti.fi> a écrit :
>
> I believe this is best you can do:
>
> ytti@a03.labxtx03.us.bb-re0# show|display set |match deny
> set system login class tacacs-user deny-commands "clear pppoe
> sessions($| no-confirm$)"
>
> ytti@a03.labxtx03.us.bb-re0> clear pppoe sessions ?
> Possible completions:
> <interface> Name of PPPoE logical interface
> ytti@a03.labxtx03.us.bb-re0> clear pppoe sessions
>
> You can't clear all, but you can clear any.

Thanks Saku, much appreciated. this works well, although I still have
to allow 'clear' permission and refuse all other commands.

deny-commands = "clear [a-o].*|clear [q-z].*|clear p[^p].*|clear pppoe
sessions($| no-confirm$)"
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp