Junos
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 8
Registered: ‎10-06-2015
0 Kudos

Help with login classes.

How can we go about ensuring that our users:

 

* Can create and delete security policy (set/delete security policies from-zone trust to-zone untrust policy trust-to-untrust) and NAT rules (set/delete security nat source rule-set source-nat-1 rule rule-1 match source-address-name entry1)

 

* Cannot delete a whole rule set (delete security policies from-zone trust to-zone untrust) (delete security nat source rule-set source-nat-1 rule rule-1).

 

We use TACACS+ for authentication and all changes are made through JunOS Space.

 

Have been playing with user roles, but cannot seem to make it work properly.

Juniper Employee
Posts: 20
Registered: ‎10-15-2014
0 Kudos

Re: Help with login classes.

Hi, Please try following. I tested in lab and it works.

set system login class test permissions configure
set system login class test permissions security
set system login class test permissions security-control
set system login class test allow-configuration "security policies from-zone trust to-zone untrust policy trust-to-untrust"
set system login class test deny-configuration "security policies from-zone trust to-zone untrust"
set system login class test allow-configuration "security nat source rule-set source-nat-1 rule rule-1 match source-address-name entry1"
set system login class test deny-configuration "security nat source rule-set source-nat-1 rule rule-1"
Visitor
Posts: 8
Registered: ‎10-06-2015
0 Kudos

Re: Help with login classes.

[ Edited ]

Thanks a lot. :-)

I have tried the suggested configuration and it works.

Two questions to elaborate.

 

* How can we combine several "allow-configuration" or "deny-configuration" in a single rule.

* In reality the rule-set and rules could have any name. I have tried to use * as REGEX with your examples, but it does not work.

 

WORKS STANDALONE:
set system login class test permissions configure
set system login class test permissions security
set system login class test permissions security-control
set system login class test allow-configuration "security nat source rule-set source-nat-1 rule rule-1 match"
set system login class test deny-configuration "security nat source rule-set source-nat-1"

WORKS STANDALONE:
set system login class test permissions configure
set system login class test permissions security
set system login class test permissions security-control
set system login class test allow-configuration "security policies from-zone trust to-zone untrust policy trust-to-untrust"
set system login class test deny-configuration "security policies from-zone trust to-zone untrust"

 

NOT WORKING:
set system login class test permissions configure
set system login class test permissions security
set system login class test permissions security-control
set system login class test allow-configuration "(security nat source rule-set source-nat-1 rule rule-1 match) | (security policies from-zone trust to-zone untrust policy trust-to-untrust)"
set system login class test deny-configuration "(security nat source rule-set source-nat-1) | (security policies from-zone trust to-zone untrust)"

 

NOT WORKING:

set system login class test permissions configure
set system login class test permissions security
set system login class test permissions security-control
set system login class test allow-configuration "security policies from-zone * to-zone * policy *"
set system login class test deny-configuration "security policies from-zone * to-zone *"

Highlighted
Juniper Employee
Posts: 20
Registered: ‎10-15-2014
0 Kudos

Re: Help with login classes.

Hi, If you want to do regex then you should use allow-configuration-regexps or deny-configuration-regexps.

Please check the following article which will explain how to do regex.

https://www.juniper.net/documentation/en_US/junos/topics/example/access-privileges-configuration-mod...
Visitor
Posts: 8
Registered: ‎10-06-2015
0 Kudos

Re: Help with login classes.

[ Edited ]

Hi

 

Thanks a lot.

I have been playing a bit, but cannot seem to make it work properly.

 

Have configured my login class as follows.

Result:

 

* I cannot delete a whole security policy set - delete security policies from-zone trust to-zone untrust. :-)

* I cannot delete one security policy policy - delete security policies from-zone trust to-zone untrust policy trust-to-untrust :-(

* I cannot delete a whole NAT rule set - delete security nat source rule-set source-nat-1 :-)

* I cannot delete a single NAT rule within my rule set - delete security nat source rule-set source-nat-1 rule 1 :-(

 

That makes sense as of those two "rules":
(as per https://www.juniper.net/documentation/en_US/junos/topics/example/access-privileges-configuration-mod...)

 

* You can configure as many regular expressions as needed to be allowed or denied. Regular expressions to be denied take precedence over configurations to be allowed.

 

* The allow/deny-configuration and allow/deny-configuration-regexps statements are mutually exclusive and cannot be configured together for a login class. At a given point in time, a login class can include either the allow/deny-configuration statement, or the allow/deny-configuration-regexps statement. If you have existing configurations using the allow/deny-configuration statements, using the same configuration options with the allow/deny-configuration-regexps statements might not produce the same results, as the search and match methods differ in the two forms of these statements.

 

My class:

 

set system login class test permissions configure
set system login class test permissions network
set system login class test permissions security
set system login class test permissions security-control
set system login class test allow-configuration-regexps "security policies from-zone .* to-zone .* policy.*"
set system login class test allow-configuration-regexps "security nat source rule-set .* rule .*"
set system login class test deny-configuration-regexps "security policies from-zone .* to-zone .*$"
set system login class test deny-configuration-regexps "security nat source rule-set .*$"

 

I have even tried to only use my allow-configuration-regexps (deleting deny-configuration-regexps) and vice versa but neither of it works as planed.