Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

It is currently Wed Aug 10, 2022 4:39 pm

Message body:
Enter your message here, it may contain no more than 60000 characters. 

:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
Font colour
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.

Topic review - Junos tacacs plus authentication for restricted privileges user with ping restrictions
Author Message
Post subject: Re: Junos tacacs plus authentication for restricted privileges user with ping restrictions  |  Post Posted: Wed Jun 26, 2013 9:52 am
Good documentation link:

How to configure TACACS+ authentication on J-Series and SRX platforms
Configuring TACACS+ Authentication
Post subject: Junos tacacs plus authentication for restricted privileges user with ping restrictions  |  Post Posted: Wed Jun 26, 2013 9:40 am
Below is my tacacs plus configuration:
# Secret used between the J/SRX device and TACACS+ Of course you should change this
key = juniper123

# juniper user is set to inherit Junos defined "testuser" privileges on the J/SRX device
user = juniper {
        login = cleartext juniper123
        service = junos-exec {
               local-user-name = testuser
               allow-commands = "(show route)|(show route .*)|(quit)|(ping [^r]*)|(traceroute .*)|(show bgp summary)"
               allow-configurations= <allow-configuration-regex>
               deny-commands = ".*"
               deny-configuration= "system"

The above tacacs plus configuration defines a "junos-exe"c service that contains, of course, Junos specific directives (these directives can be configured in user's class also, but it's beyond the purpose of this post).

Most important to understand is that "*-commands" directives refer to operational mode commands and "*-configuration" directives refer to configuration mode.
In above configuration, I'm denying all operational commands (deny-commands = ".*"), thus configuration mode will not be possible, but allowing some:
- show route (without any arguments)
- show route (with all arguments)
- quit (of course, you want users to be able to quit, right ?)
- ping (without "r" starting arguments, I don't want the Junos restricted user to ping rapidly)
- traceroute (with all arguments, but probably I should restrict some of them... maybe suggestions)
- show bgp summary ( in case this is a public bgp route mirror).

And below is the outcome of this:
juniper@CORE_R1> ?   
Possible completions:
  ping                 Ping remote target
  quit                 Exit the management session
  show                 Show system information
  traceroute           Trace route to remote host
juniper@CORE_R1> show ?
Possible completions:
  bgp                  Show Border Gateway Protocol information
  route                Show routing table information
juniper@CORE_R1> show bgp ?
Possible completions:
  summary              Show overview of BGP information
juniper@CORE_R1> show route ?
Possible completions:
  <[Enter]>            Execute this command
  <destination>        IP address and optional prefix length of destination
  active-path          Show active paths
  advertising-protocol  Show information in format intended for particular routing protocol
  all                  Show all entries, including hidden entries
  aspath-regex         BGP AS path regular expression for entries to match
  best                 Show longest matching route
  brief                Display brief output
  ccc                  Name of entry in MPLS table with a circuit cross-connect interface
+ community            Identifier for community (can include wildcards)
  community-name       Name of configured community policy to match
  damping              Show entries subjected to particular kind of route damping
  detail               Display detailed output
  exact                Show routes that match exactly
  export               Show instance export information
  extensive            Display extensive output
  flow                 Show flow routing information
  forwarding-table     Show entries in all forwarding tables
  hidden               Show hidden entries
  inactive-path        Show inactive paths
  inactive-prefix      Show inactive route destinations
  instance             Show routing instances information
  label                Label of entry in MPLS routing table
  label-switched-path  Name of LSP tunnel associated with entries
  logical-system       Name of logical system, or 'all'
  martians             Show martian networks
  match-prefix         Regular expression to match formatted prefix
  next-hop             IP address of next hop that is destination for entries
  no-community         Show entries with no associated community
  output               Show entries sent out a particular interface
  private              Show private table routes
  protocol             Name of protocol that is source for entries
  range                Show all entries in prefix range
  rd-prefix            Route distinguisher with ip prefix (rd:prefix)
  receive-protocol     Show information in format received from particular routing protocol
  resolution           Show next-hop resolution database
  rib-groups           Show group of routing tables
  snooping             Show routes for multicast snooping
  source-gateway       IP address of source router for entries
  static-label-switched-path  Name of static LSP tunnel associated with entries
  summary              Show routing table statistics
  table                Name of routing table
  terse                Display terse output
  |                    Pipe through a command
juniper@CORE_R1> ping ?           
Possible completions:
  <host>               Hostname or IP address of remote host
  atm                  Ping remote Asynchronous Transfer Mode node
  count                Number of ping requests to send (1..2000000000 packets)
  detail               Display incoming interface of received packet
  inet                 Force ping to IPv4 destination
  inet6                Force ping to IPv6 destination
  logical-system       Name of logical system
  mpls                 Ping label-switched path
  size                 Size of request packets (0..65468 bytes)
  tos                  IP type-of-service value (0..255)
  ttl                  IP time-to-live value (IPv6 hop-limit value) (1..255 hops)
  vpls                 Ping VPLS MAC address
  wait                 Maximum wait time after sending final packet (seconds)
juniper@CORE_R1> traceroute ?     
Possible completions:
  <host>               Hostname or address of remote host
  gateway              Address of router gateway to route through
  inet                 Force traceroute to IPv4 destination
  inet6                Force traceroute to IPv6 destination
  logical-system       Name of logical system
  mpls                 Trace MPLS paths
  tos                  IP type-of-service field (IPv4) (0..255)
  ttl                  IP maximum time-to-live value (or IPv6 maximum hop-limit value)
  wait                 Number of seconds to wait for response (seconds)

Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]