Example Configuration

01	system {
02	    scripts {
03	        op {
04	            file check-cli-acl.slax;
05	        }
06	    }
07	}
08	 
09	event-options {
10	    policy no-cli-for-automation-user {
11	        events ui_login_event;
12	        attributes-match {
13	            ui_login_event.username matches "automation1|automation2";
14	        }
15	        then {
16	            /*
17	             * Invoke an event script to forcibly log out
18	             * the user who are not supposed to have CLI access.
19	             * If the "automation" user is logged in via NETCONF,
20	             * this script will have no effect.
21	             */
22	           event-script check-cli-acl.slax {
23	               arguments {
24	                   username "{$$.username}";                    
25	                   auth-subnet "0.0.0.0/32";
26	               }
27	           }      
28	        }
29	    }
30	    policy cli-for-admin-user {
31	        events ui_login_event;
32	        attributes-match {
33	            ui_login_event.username matches "admin1|admin2";
34	        }
35	        then {
36	            /*
37	             * Invoke an event script to check if the admin
38	             * user login via CLI is connected from an authorized
39	             * subnet, otherwise, forcibly log out the user.
40	             */
41	            event-script check-cli-acl.slax {
42	                arguments {
43	                    username "{$$.username}";
44	                    auth-subnet "172.17.27.0/24";
45	                }
46	            }      
47	        }
48	    }
49	}

SLAX Script Contents

001	/*
002	 * YOU MUST ACCEPT THE TERMS OF THIS DISCLAIMER TO USE THIS SOFTWARE.
003	 *
004	 * JUNIPER IS WILLING TO MAKE THE INCLUDED SCRIPTING SOFTWARE AVAILABLE TO YOU
005	 * ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS
006	 * DISCLAIMER. PLEASE READ THE TERMS AND CONDITIONS OF THIS DISCLAIMER CAREFULLY.
007	 *
008	 * THE SOFTWARE CONTAINED IN THIS FILE IS PROVIDED "AS IS".  JUNIPER MAKES NO
009	 * WARRANTIES OF ANY KIND WHATSOEVER WITH RESPECT TO SOFTWARE. ALL EXPRESS OR
010	 * IMPLIED CONDITIONS, REPRESENTATIVES AND WARRANTIES, INCLUDING ANY WARRANTY
011	 * OF NON-INFRINGEMENT OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR A
012	 * PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT
013	 * ALLOWED BY APPLICABLE LAW.
014	 *
015	 * IN NO EVENT WILL JUNIPER BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR
016	 * FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES
017	 * HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE
018	 * USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF JUNIPER HAS BEEN ADVISED OF
019	 * THE POSSIBILITY OF SUCH DAMAGES.
020	 *
021	 *
022	 * Author        : Roy Lee
023	 * Version       : 1.0
024	 * Last Modified : 2008-12-01
025	 *
026	 * Description   : check-cli-acl.slax
027	 * This event script is written to restrict the cli access with a given login
028	 * from an authorized subnet only. This can be easily extended to multiple
029	 * authorized subnets, or use 0.0.0.0/32 to deny any access.
030	 *
031	 *
032	 * Below is a sample event policy configuration which will be triggered
033	 * when the administrative user "adminX" has login to the device via CLI.
034	 * The name of the user and the authorized subnet are the two arguments passed
035	 * to the event-script.
036	 *
037	 * ---
038	 * event-options {
039	 *     policy cli-for-admin-user {
040	 *         events UI_LOGIN_EVENT;
041	 *         attributes-match {
042	 *             UI_LOGIN_EVENT.username matches "admin1|admin2";
043	 *         }
044	 *         then {
045	 *             event-script check-cli-acl.slax {
046	 *                 arguments {
047	 *                     username "{$$.username}";
048	 *                     auth-subnet "172.17.27.0/24";
049	 *                 }
050	 *             }      
051	 *         }
052	 *     }
053	 * }
054	 * ---
055	 *
056	 * When a CLI login with the matching username is found, the script
057	 * will compare its source IP with the authorized subnet. It will forcibly
058	 * log out the CLI user who is not connected from the authorized subnet. 
059	 *
060	 * If the requirement is to completely disallow CLI login for a given username
061	 * from any subnet, specify the value "0.0.0.0/32" as the auth-subnet argument.
062	 *
063	 */
064	 
065	version 1.0;
066	 
067	ns junos = "http://xml.juniper.net/junos/*/junos";
068	ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
069	ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
070	 
071	 
072	param $username;
073	param $auth-subnet;
074	 
075	match / {
076	    <op-script-results> {
077	          
078	        /*
079	         * "show system users no resolve" command displays
080	         *  only the user which has TTY assigned to it,
081	         *  which means the users who are logged in
082	         *  through the CLI.
083	         */
084	 
085	        var $cmd1 = <command> "show system users no-resolve";
086	        var $out1 = jcs:invoke($cmd1);
087	         
088	        for-each ($out1/uptime-information/user-table/user-entry[user=$username]) {
089	            var $ipaddr = from;
090	       
091	            /*
092	             * Process the authorized subnet params using jcs:parse-ip(),
093	             * then extract the subnet and prefix, i.e.
094	             *     auth-ip[3] is the prefix,
095	             *     auth-ip[4] is the subnet
096	             */
097	            var $auth-ip = jcs:parse-ip($auth-subnet);
098	 
099	            /*
100	             * Append the prefix to ipaddr and
101	             * then parse it
102	             */
103	            var $temp = $ipaddr _ "/" _ $auth-ip[3];
104	            var $user-ip = jcs:parse-ip($temp);
105	 
106	            /*
107	             * Now match the subnet
108	             */
109	            if ($user-ip[4] != $auth-ip[4]) {
110	                var $logout = {
111	                    <command> 'request system logout user ' _ $username _ " terminal " _ tty;
112	                }
113	 
114	                var $result = jcs:invoke($logout);
115	                expr jcs:output("Logging out cli user ", $username);
116	                expr jcs:output(" connected from an unauthorized subnet.");
117	            }
118	        }
119	    }         
120	}

XML Script Contents

01	<?xml version="1.0"?>
02	<script>
03	  <title>check-cli-acl.slax</title>
04	  <author>royklee</author>
05	  <synopsis>
06	    Enforces a login-based CLI access from an authorized subnet only
07	  </synopsis>
08	  <coe>event</coe>
09	  <type>login</type>
10	 
11	  <description>
12	This event script is to restrict the CLI access with a given login
13	from an authorized subnet only. This can be easily extended to
14	multiple subnets, or use  0.0.0.0/32 to deny any access. It uses
15	jcs:parse-ip extension function.
16	 
17	  </description>
18	 
19	  <example>
20	    <title>Configuration</title>
21	    <description>Configuration required for this event script</description>
22	    <config>example-1.conf</config>
23	  </example>
24	 
25	  <xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
26	                src="../../../../../web/leaf.js"
27	            type="text/javascript"/>
28	</script>