Routing

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  show configuration with nothing by TACACS+

    Posted 11-20-2018 01:49

    Hi 

     

    I got a problem while excuted " show configuration" but nothing can see after authenticated by TACACS+

    Login/show interface/into configure mode/commit are all fine.

    But I can't get any information by "show configuration", even "show configuration interface"

     

    Is there anything wrong on my configuration ?

     

     ****** switch ****************

    class FET_L3 {
    permissions all;
    }

    user FET_L3 {
    uid 603;
    class FET_L3;

    *****************************

     

    ******* TACACS+***********

    group = FET_L3 {
    acl = FET_L3
    login = file /etc/passwd
    service = junos-exec {
    local-user-name = FET_L3
    user-permissions = "configure"
    allow-commands1 = "ping.*"
    allow-commands2 = "traceroute.*"
    allow-commands10 = "show.*"
    allow-commands11 = "configure"
    allow-commands12 = "rollback.*"
    allow-commands13 = "commit.*"
    allow-commands14 = "exit"
    allow-commands15 = "monitor.*"
    deny-commands1 = ".*"
    allow-configuration1 = "interface.*"
    allow-configuration2 = "vlans.*"
    allow-configuration3 = "protocols ospf.*"
    allow-configuration4 = "protocols rstp.*"
    allow-configuration5 = "system.*"
    deny-configuration1 = ".*"
    }
    }

    user = alex_L3 {
      member = FET_L3
    }

     

    *************************************

     

    Best regards,

    Cloud


    #TACACS+


  • 2.  RE: show configuration with nothing by TACACS+

    Posted 11-20-2018 01:55

    Hi,

    Please share the output of "show cli authorization"

     



  • 3.  RE: show configuration with nothing by TACACS+

    Posted 11-20-2018 02:11

    Hi Nellikka

     

    As below information is what show cli authorization. 

     

    Best regards,

    Cloud

     

    alex_L3@KH02-SW03> show cli authorization
    Current user: 'FET_L3' login: 'alex_L3' class 'FET_L3'
    Permissions:
    admin -- Can view user accounts
    admin-control-- Can modify user accounts
    clear -- Can clear learned network info
    configure -- Can enter configuration mode
    control -- Can modify any config
    edit -- Can edit full files
    field -- Can use field debug commands
    floppy -- Can read and write the floppy
    interface -- Can view interface configuration
    interface-control-- Can modify interface configuration
    network -- Can access the network
    reset -- Can reset/restart interfaces and daemons
    routing -- Can view routing configuration
    routing-control-- Can modify routing configuration
    shell -- Can start a local shell
    snmp -- Can view SNMP configuration
    snmp-control-- Can modify SNMP configuration
    system -- Can view system configuration
    system-control-- Can modify system configuration
    trace -- Can view trace file settings
    trace-control-- Can modify trace file settings
    view -- Can view current values and statistics
    maintenance -- Can become the super-user
    firewall -- Can view firewall configuration
    firewall-control-- Can modify firewall configuration
    secret -- Can view secret statements
    secret-control-- Can modify secret statements
    rollback -- Can rollback to previous configurations
    security -- Can view security configuration
    security-control-- Can modify security configuration
    access -- Can view access configuration
    access-control-- Can modify access configuration
    view-configuration-- Can view all configuration (not including secrets)
    flow-tap -- Can view flow-tap configuration
    flow-tap-control-- Can modify flow-tap configuration
    idp-profiler-operation-- Can Profiler data
    pgcp-session-mirroring-- Can view pgcp session mirroring configuration
    pgcp-session-mirroring-control-- Can modify pgcp session mirroring configuration
    unified-edge-- Can view unified edge configuration
    unified-edge-control-- Can modify unified edge configuration
    storage -- Can view fibre channel storage protocol configuration
    storage-control-- Can modify fibre channel storage protocol configuration
    all-control -- Can modify any configuration
    Individual command authorization:
    Allow regular expression: (ping.*|traceroute.*|show.*|configure|rollback.*|commit.*|exit|monitor.*)
    Deny regular expression: (.*)
    Allow configuration regular expression: (interface.*)|(vlans.*)|(protocols ospf.*)|(protocols rstp.*)|(system.*)
    Deny configuration regular expression: (.*)



  • 4.  RE: show configuration with nothing by TACACS+
    Best Answer

    Posted 11-20-2018 06:02

    Hi,

    You have to change the permission to "view" of FET_L3 class in Switch and remove "deny-configuration1 = ".*"" line from tacacs+ configuration files. 

     

    Switch:

    +++++++++

        login {
            class FET_L3 {
                permissions view;
            }
            user FET_L3 {
                uid 603;

     

    Tacacs+:-

    ++++++++++

    group = FET_L3 {
    acl = FET_L3
    login = file /etc/passwd
    service = junos-exec {
    local-user-name = FET_L3
    user-permissions = "configure"
    allow-commands1 = "ping.*"
    allow-commands2 = "traceroute.*"
    allow-commands10 = "show.*"
    allow-commands11 = "configure"
    allow-commands12 = "rollback.*"
    allow-commands13 = "commit.*"
    allow-commands14 = "exit"
    allow-commands15 = "monitor.*"
    deny-commands1 = ".*"
    allow-configuration1 = "interface.*"
    allow-configuration2 = "vlans.*"
    allow-configuration3 = "protocols ospf.*"
    allow-configuration4 = "protocols rstp.*"
    allow-configuration5 = "system.*"
    #deny-configuration1 = ".*"
    }
    }

    user = alex_L3 {
      member = FET_L3
    }


                class FET_L3;
            }
        }