Junos OS

Expand all | Collapse all

Login class / allow-configuration / deny-configuration

Jump to Best Answer
  • 1.  Login class / allow-configuration / deny-configuration

    Posted 05-07-2020 00:01

    Hello,

     

    Given the configuration:

     

    set system login class Test-permissions idle-timeout 60

    set system login class Test-permissions permissions all

    set system login class Test-permissions allow-commands "(configure private)"

    set system login class Test-permissions deny-commands "(configure)|(configure exclusive)"

    set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)"

    set system login class Test-permissions deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)"

     

    When I’m trying to execute a command that it is listed in allow-configuration, per example:

     

    aminzat@R1# set interfaces ge-0/0/8 unit 0 family inet mtu 9

     

    It works.

     

    When trying to apply a filter on an interface it will not work.

    # set interfaces xe-4/2/0 unit 200 family inet filter input Filter-100M-policing

    error: permission denied for interfaces: Filter-100M-policing

     

    Upon removing (interfaces.*)" this command works.

     

    Is the configuration wrong, or it is a bug?



  • 2.  RE: Login class / allow-configuration / deny-configuration
    Best Answer

    Posted 05-07-2020 01:19

    Hi rocketfkinscience, 

     

    Greetings, 

     

    This is a configuration issue. You will have to add the (interfaces .* unit .* family * inet * filter * input) along with existing configuration to the allow-commands as the filter has multiple types namely input and output and the configuration should match which type and then specify the name Filter-100M-policing.

     

    Ideally you will have to configure the allow as below:

    set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input)|(interfaces .* unit .* family * inet * filter * input .*)"

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 3.  RE: Login class / allow-configuration / deny-configuration

    Posted 05-08-2020 00:24

    Hello,

     

    Added the missing line in the configuration, still getting the same error:

     

    root@R2# show system login
    class Test-permissions {
    idle-timeout 60;
    permissions all;
    allow-commands "(configure private)";
    deny-commands "(configure)|(configure exclusive)";
    allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input);";
    deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)";
    }
    user aminzat {
    uid 2001;
    class Test-permissions;
    authentication {
    encrypted-password "$6$qfy/0CzX$cs6NBTrl9gB58nV2nl/gNvq3Ms59SsDOMPH9YetK49XWz88BJ1o7PC8WTdn3L/IMT2YpPc9tylcBqvgeyclOK0"; ## SECRET-DATA
    }
    }

     

    The result:

     

    [edit]
    aminzat@R2# set interfaces ge-0/0/8 unit 0 family inet filter input ?
    Possible completions:
    <filter-name> Name of the filter
    tst [firewall filter]
    [edit]
    aminzat@R2# set interfaces ge-0/0/8 unit 0 family inet filter input tst
    error: permission denied for interfaces: tst

    [edit]
    aminzat@R2# set interfaces ge-0/0/8 unit 0 family inet filter input tst
    error: permission denied for interfaces: tst

    [edit]
    aminzat@R2# run show version
    Hostname: R2
    Model: mx960
    Junos: 18.4R2.7

     

    Regards,

    Alex



  • 4.  RE: Login class / allow-configuration / deny-configuration

    Posted 05-08-2020 00:51

    Hi rocketfkinscience,

     

    Greetings, 

     

    Can you add the below config and verify this? 

    Add the below statement from your permitted used and commit. Open a new session for the aminzat after commit and then check again. Meanwhile, I will check on your specified version: Junos: 18.4R2.7 and Model: mx960.

     

    set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input)|(interfaces .* unit .* family * inet * filter * input .*)"

     

     

    Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 5.  RE: Login class / allow-configuration / deny-configuration

     
    Posted 05-08-2020 01:12

    Hello Rocketfkinscience,

     

    I see an extra semicolon [ ; ] at the end in the allow-configuration in the output you have attached.

     

    allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input);";

     

    I have performed the below test on  MX 480 - 19.1R1-S4.2 version and I was able to run the command.

    labroot@XXXX> show version
    Hostname: jtac-mx480-r2032-re0
    Model: mx480
    Junos: 19.1R1-S4.2

     

    labroot@XXXX# show system login
    class Test-permissions {
    idle-timeout 60;
    permissions all;
    allow-commands "(configure private)";
    deny-commands "(configure)|(configure exclusive)";
    allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input)";


    deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)";
    }

    user test {
    uid 2000;
    class Test-permissions;
    authentication {
    encrypted-password "$6$07JR2.fn$10HsjKLPDHj2.buTXLSAvDZ/6OThheF7ecDUSopU5uBr8S5wHi4W0RG4b1jq5b0pSyabkczrQFJzfGBsgMax9."; ## SECRET-DATA
    }
    }

     

    Logged out from the "labroot" user and logged into the user "TEST"

     

    login: test
    Password:
    Last login: Thu May 7 11:03:07 from 172.29.186.149

    --- JUNOS 19.1R1-S4.2 Kernel 64-bit JNPR-11.0-20191223.5f5c7dc_buil

    test@XXXX> configure private
    warning: uncommitted changes will be discarded on exit
    Entering configuration mode


    [edit]
    test@XXXX# set interfaces ge-0/0/8 unit 0 family inet filter input tst

    [edit]
    test@XXXX# show |compare
    [edit interfaces]
    + ge-0/0/8 {
    + unit 0 {
    + family inet {
    + filter {
    + input tst;
    + }
    + }
    + }
    + }

     

    Please copy-paste the below allow configuration on the device with "root" credentails.

     

    #set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input)"

     

    I hope this helps. Please mark this post  "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Best Regards,

    Lingabasappa H

     

     



  • 6.  RE: Login class / allow-configuration / deny-configuration

    Posted 05-11-2020 00:48

    Hello,

     

    I didn't work.

    Still getting the permission denied statement.

    I will try on an actual physical device, as I was testing in a virtual environment.

     

    Regards



  • 7.  RE: Login class / allow-configuration / deny-configuration

    Posted 05-11-2020 01:00

    Hi rocketfkinscience

     

    Yes, please check this on a physical device.

    This worked on a lab device and that is the reason we shared the sample config. Please share us the version on the physical device after you try it. Also, I think you are logged in as root while making the changes and committing and then opening a new session to the new user after commit and then trying to command. Am I right in my understanding?

     

    Regards, 

    Sharat



  • 8.  RE: Login class / allow-configuration / deny-configuration

    Posted 05-18-2020 04:48

    Hello,

     

    It works on a physical device.

    Thank you for the information provided.

     

    Is there any documentation about this knob?

     

    Regards.



  • 9.  RE: Login class / allow-configuration / deny-configuration

    Posted 05-18-2020 05:09

    Hi rocketfkinscience, 

     

    Greetings,

     

    Per my understanding, there is no specific document for this.

    Will recheck and update on you on this thread. Thanks.

     

    Regards, 

    Sharat



  • 10.  RE: Login class / allow-configuration / deny-configuration

     
    Posted 05-07-2020 02:12

    Hi rocketfkinscience,

     

    When i checked this in lab i see this config is working. Can you share the verison on which you are executing these commands.

    1.PNG

     

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too

     

    Kudos are appreciated too  🙂 

     

    Regards,

    Nadeem



  • 11.  RE: Login class / allow-configuration / deny-configuration

     
    Posted 05-07-2020 04:14

    Hello All,

     

    Greetings!

     

    Once you dump the below config into the device, make sure you exit from the configuration mode(#) and enter back into config mode using "configure private"  with the specified user as configure private is the only command allowed to enter the configuration mode.

     

    set system login class Test-permissions idle-timeout 60

    set system login class Test-permissions permissions all

    set system login class Test-permissions allow-commands "(configure private)"

    set system login class Test-permissions deny-commands "(configure)|(configure exclusive)"

    set system login class Test-permissions allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)"

    set system login class Test-permissions deny-configuration "(protocols bgp disable)|(protocols isis disable)|(protocols mpls disable)|(protocols ldp disable)|(system login)|(interfaces lo0)|(interfaces.* vlan-tagging)|(interfaces.* flexible-vlan-tagging)|(interfaces.* per-unit-scheduler)|(interfaces.* disable)|(class-of-service interfaces.* output-traffic-control-profile)|(interfaces .* hierarchical-scheduler)|(interfaces.*)"

     

    Create a user test and map it with class "Test-permissions" and set a 6 digit plain text password.[For Ex- test123].

     

    Then, exit the terminal and try to login to the device with the user  "test" login and "test123" password. Then, enter the configuration mode only by "configure private".

     

    After Entering the configure private mode, the user cannot view the "show system login" command as the command is not in the allowed configuration list.

     

    Lab output:-


    login: test
    Password:
    Last login: Thu May 7 10:16:31 from 172.29.186.149

    --- JUNOS 19.1R1-S4.2 Kernel 64-bit JNPR-11.0-20191223.5f5c7dc_buil
    test@jtac-mx480-r2032-re0> configure ?
    Possible completions:
    private Work in private database (other's changes do not show)   -- Only 1 option.
    test@jtac-mx480-r2032-re0> configure private
    warning: uncommitted changes will be discarded on exit
    Entering configuration mode
    Users currently editing the configuration:
    labroot terminal pts/1 (pid 15828) on since 2020-05-07 10:00:00 UTC, idle 00:28:05
    [edit]

    [edit]
    test@jtac-mx480-r2032-re0# show system lo?   
    Possible completions:
    > location Location of the system, in various forms
    [edit]
    test@jtac-mx480-r2032-re0# show system login ---- "show system login is not allowed"
    ^
    syntax error.

     

    For making any change to the above configuration, you need to login back with the user having class super-user credentials and modify the configuration.

     

    ---------------------------------------------------------

    Coming to the Configuration issue:-

     

    Yes, the issue is with the existing configuration. You need to add - (interfaces .* unit .* family * inet * filter * input). The allow-configuration should first match the filter type and then the filter name.

     

    allow-configuration "(interfaces .* unit .* family * inet * address .*)|(interfaces .* unit .* family * inet6 * address .*)|(interfaces .* unit .* family * inet6 * mtu .*)|(interfaces .* unit .* family * inet * mtu .*)|(interfaces .* unit .* vlan-id .*)|(interfaces .* unit .* description .*)|(interfaces .* unit .* bandwidth .*)|(class-of-service interfaces .* unit .* output-traffic-control-profile)|(interfaces .* unit .* disable)|(interfaces .* unit .* family * inet * rpf-check * mode.* loose)|(interfaces .* unit .* family * inet * filter * input .*)|(interfaces .* unit .* family * inet * filter * input)";

     

    I hope this helps. Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Best Regards,

    Lingabasappa H