Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Aug 23, 2017 9:02 am


Author Message
admin
Post  Post subject: Junos tacacs plus authentication for restricted privileges user with ping restrictions  |  Posted: Wed Jun 26, 2013 9:40 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 95

Offline
 

Junos tacacs plus authentication for restricted privileges user with ping restrictions

Below is my tacacs plus configuration:
Code:
# Secret used between the J/SRX device and TACACS+ Of course you should change this
key = juniper123

# juniper user is set to inherit Junos defined "testuser" privileges on the J/SRX device
user = juniper {
        login = cleartext juniper123
        service = junos-exec {
               local-user-name = testuser
               allow-commands = "(show route)|(show route .*)|(quit)|(ping [^r]*)|(traceroute .*)|(show bgp summary)"
               allow-configurations= <allow-configuration-regex>
               deny-commands = ".*"
               deny-configuration= "system"
        }
}


The above tacacs plus configuration defines a "junos-exe"c service that contains, of course, Junos specific directives (these directives can be configured in user's class also, but it's beyond the purpose of this post).

Most important to understand is that "*-commands" directives refer to operational mode commands and "*-configuration" directives refer to configuration mode.
In above configuration, I'm denying all operational commands (deny-commands = ".*"), thus configuration mode will not be possible, but allowing some:
- show route (without any arguments)
- show route (with all arguments)
- quit (of course, you want users to be able to quit, right ?)
- ping (without "r" starting arguments, I don't want the Junos restricted user to ping rapidly)
- traceroute (with all arguments, but probably I should restrict some of them... maybe suggestions)
- show bgp summary ( in case this is a public bgp route mirror).

And below is the outcome of this:
Code:
juniper@CORE_R1> ?   
Possible completions:
  ping                 Ping remote target
  quit                 Exit the management session
  show                 Show system information
  traceroute           Trace route to remote host
juniper@CORE_R1> show ?
Possible completions:
  bgp                  Show Border Gateway Protocol information
  route                Show routing table information
juniper@CORE_R1> show bgp ?
Possible completions:
  summary              Show overview of BGP information
juniper@CORE_R1> show route ?
Possible completions:
  <[Enter]>            Execute this command
  <destination>        IP address and optional prefix length of destination
  active-path          Show active paths
  advertising-protocol  Show information in format intended for particular routing protocol
  all                  Show all entries, including hidden entries
  aspath-regex         BGP AS path regular expression for entries to match
  best                 Show longest matching route
  brief                Display brief output
  ccc                  Name of entry in MPLS table with a circuit cross-connect interface
+ community            Identifier for community (can include wildcards)
  community-name       Name of configured community policy to match
  damping              Show entries subjected to particular kind of route damping
  detail               Display detailed output
  exact                Show routes that match exactly
  export               Show instance export information
  extensive            Display extensive output
  flow                 Show flow routing information
  forwarding-table     Show entries in all forwarding tables
  hidden               Show hidden entries
  inactive-path        Show inactive paths
  inactive-prefix      Show inactive route destinations
  instance             Show routing instances information
  label                Label of entry in MPLS routing table
  label-switched-path  Name of LSP tunnel associated with entries
  logical-system       Name of logical system, or 'all'
  martians             Show martian networks
  match-prefix         Regular expression to match formatted prefix
  next-hop             IP address of next hop that is destination for entries
  no-community         Show entries with no associated community
  output               Show entries sent out a particular interface
  private              Show private table routes
  protocol             Name of protocol that is source for entries
  range                Show all entries in prefix range
  rd-prefix            Route distinguisher with ip prefix (rd:prefix)
  receive-protocol     Show information in format received from particular routing protocol
  resolution           Show next-hop resolution database
  rib-groups           Show group of routing tables
  snooping             Show routes for multicast snooping
  source-gateway       IP address of source router for entries
  static-label-switched-path  Name of static LSP tunnel associated with entries
  summary              Show routing table statistics
  table                Name of routing table
  terse                Display terse output
  |                    Pipe through a command
juniper@CORE_R1> ping ?           
Possible completions:
  <host>               Hostname or IP address of remote host
  atm                  Ping remote Asynchronous Transfer Mode node
  count                Number of ping requests to send (1..2000000000 packets)
  detail               Display incoming interface of received packet
  inet                 Force ping to IPv4 destination
  inet6                Force ping to IPv6 destination
  logical-system       Name of logical system
  mpls                 Ping label-switched path
  size                 Size of request packets (0..65468 bytes)
  tos                  IP type-of-service value (0..255)
  ttl                  IP time-to-live value (IPv6 hop-limit value) (1..255 hops)
  vpls                 Ping VPLS MAC address
  wait                 Maximum wait time after sending final packet (seconds)
juniper@CORE_R1> traceroute ?     
Possible completions:
  <host>               Hostname or address of remote host
  gateway              Address of router gateway to route through
  inet                 Force traceroute to IPv4 destination
  inet6                Force traceroute to IPv6 destination
  logical-system       Name of logical system
  mpls                 Trace MPLS paths
  tos                  IP type-of-service field (IPv4) (0..255)
  ttl                  IP maximum time-to-live value (or IPv6 maximum hop-limit value)
  wait                 Number of seconds to wait for response (seconds)


_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com





Top
admin
Post  Post subject: Re: Junos tacacs plus authentication for restricted privileges user with ping restrictions  |  Posted: Wed Jun 26, 2013 9:52 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 95

Offline
Good documentation link: http://www.juniper.net/techpubs/software/junos/junos95/swconfig-access-privilege/id-10521195.html

How to configure TACACS+ authentication on J-Series and SRX platforms http://kb.juniper.net/InfoCenter/index?page=content&id=KB17269
Configuring TACACS+ Authentication http://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/tacacs-authentication-configuring.html

_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com


Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Junos tacacs plus authentication for restricted privileges user with ping restrictions"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Junos restricted user disallow "ping rapid" and "ping size" operational commands

mandrei99

0

816

Wed Jun 26, 2013 6:02 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Junos - How to limit arguments to ping CLI command

mandrei99

1

874

Thu Jun 27, 2013 4:04 am

admin View the latest post

There are no new unread posts for this topic. Junos: ping: invalid routing instance `RI0'

mandrei99

0

1790

Fri Jan 03, 2014 10:11 am

mandrei99 View the latest post

There are no new unread posts for this topic. Junos: User 'remote' authenticated successfully but no local login-id configured

mandrei99

0

2376

Mon Jan 26, 2015 12:04 pm

mandrei99 View the latest post

There are no new unread posts for this topic. MTR / My traceroute in Junos

mandrei99

1

3276

Mon Oct 10, 2016 5:54 am

barrel View the latest post

There are no new unread posts for this topic. Juniper - Junos 11.4R8 based Olive

mandrei99

1

2683

Tue Jun 18, 2013 5:36 am

mandrei99 View the latest post

There are no new unread posts for this topic. Junos: How to show uncommitted changes and cancel them

mandrei99

1

17621

Wed Sep 25, 2013 7:31 am

mandrei99 View the latest post

There are no new unread posts for this topic. Junos: How to list routing table IDs

admin

0

1050

Sat Jan 17, 2015 3:53 pm

admin View the latest post

There are no new unread posts for this topic. Juniper SRX / Junos rescue configuration is not set

mandrei99

0

3368

Mon Feb 16, 2015 11:42 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to search junos configuration option within cli help apropos

mandrei99

0

837

Mon Jan 12, 2015 12:34 pm

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO