Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Command Authorization (local|remote)

    Posted 01-17-2022 05:41
    Edited by spuluka 01-17-2022 07:17
    Hello Junos community, I am a new Juniper user and I am trying to understand the command authorization syntax in junos. I am referring to this guide for help: User Access and Authentication Administration Guide for Junos OS
    Juniper remove preview
    User Access and Authentication Administration Guide for Junos OS
    Junos OS enables you to configure user access and authentication features at the [edit system] hierarchy level of the CLI. Essential user access features include login classes, user accounts, access privilege levels, and user authentication methods. Use the topics on this page to configure essential user access features for your system.
    View this on Juniper >

    I would like to do the following:
    1) the user should not be able to issue delete (system|interfaces|system .*|interfaces ge.* unit .*)
    2) the user should be allowed to do all configuration here: [ edit interfaces ge.* unit .* ]. recurse down all levels.
    3) the user should be allowed to do configuration at [ edit system] but only these options: ([a-d]+)|(ntp)|(radius.*)|(tacplus.*)|(scri.*)|(process.*)|(proxy). recurse down all levels.
    4) the user should be allowed operational mode commands: (set cli)|(show .*)
    5) the user should have the following persmissions : [ configure system system-control interface interface-control]

    I have this configuration to achieve the above tasks:
    class test-users {
    idle-timeout 1;
    permissions [ configure system system-control interface interface-control ];
    allow-commands "(^set cli .*)|(^show .*)";
    allow-configuration "(interfaces ge.* unit .* .+)|(system (([a-d]+)|(ntp)|(radius.*)|(tacplus.*)|(scri.*)|(process.*)|(proxy)) .+ .+ .+ .+ .+ .+ .+)";
    deny-configuration "(interfaces$)|(interfaces ge-[0-9]/[0-9]/[0-9]$)|(system$)|(system .*$)";
    }
    Update: This configuration is not allowing me to delete anything under [edit system] but allows to delete under [edit interfaces ge.* unit .*]

    I am loving every single minute spent on junos and maybe I am just overthinking the problem solution.
    Please help me understand this better, I would be deeply grateful.

    Thank you for your consideration,
    Prashant Desai

    ------------------------------
    PRASHANT DESAI
    ------------------------------


  • 2.  RE: Command Authorization (local|remote)

    Posted 01-18-2022 05:25

    UPDATE:SOLVED

    I have achieved the goals but had to make a few changes in permissions. I decided to give the user least privilege "permissions [ configure interface system ]" and then allowed the specific commands and configuration hierarchy as needed.  Here is the configuration is used:

    class test-users {
    idle-timeout 1;
    permissions [ configure system interface ];
    allow-commands "(^set cli .*)|(^show .*)";
    allow-configuration "(interfaces ge.* unit .* .+)|(system (ntp|services|radius.*|tacplus.*|scri.*|process.*|proxy.*|[a-d]+) .*)";
    }
    Now the user cannot issue the following commands:
    1) delete system 2) delete interfaces 3) delete interfaces ge-0/0/1 (ge.*) 4) delete interfaces ge-0/0/1 unit 0
    5) delete system ntp 6) delete system radius-server
    The user can issue the following commands
    1) delete interfaces ge-0/0/1 unit 0 family inet or any variant under unit 0 hierarchy.
    2) delete system services ssh or delete system radius-server 172.16.1.1 secret myradiussecret

    Any alternative solution someone can come up with would be most entertaining.



    ------------------------------
    PRASHANT DESAI
    ------------------------------