Routing
Highlighted
Routing

Juniper MX Regular expressions and user permissions ACS 5.4

‎01-09-2014 04:17 AM

Hi everyone!

 

Im having some trouble with regular expressions and permissions on our Juniper MX routers through ACS 5.4, and i would like some insight/help/poitners!!

 

We have a team of engineers that should only have read only permissions (important: show configuration) and also be able to just change the description on interfaces.

Thus far with the following regular expressions set for the shell profile they are going through i have managed the above, however the problem is when an engineer inputs "Show configuration", only the interfaces descriptions configuration is shown! The rest of the configuration will not be printed.

 

 

deny-commands1=.*.

allow-commands1=configure

deny-configuration1=.*.

allow-commands2=interfaces .*. description .*$

allow-configuration1=interfaces .*. description .*$

allow-commands2=show configuration.*

allow-commands3=show configuration

 

(some of these regex i know that are not needed, i was just playing around to check everything before posting)

 

Any pointers as to why or how to resolve this?

 

 

example output with the above:

 

show configuration

## Last commit: 2014-01-09 09:34:44 EET by someone

interfaces {

    xe-0/0/0 {

    }

    xe-0/0/1 {

        description xxxx;

    }

    xe-0/1/0 {

        description xxxx;

    }

    xe-0/1/1 {

        description xxxx;

    }

    xe-0/2/0 {

        disable;

    }

    xe-0/2/1 {

        description xxxx;

    }

    xe-0/3/0 {

        description xxxx;

    }

    xe-0/3/1 {

        description xxxx;

    }

    ae0 {

        description "xxxx";

    }

    ae1 {

        description xxxx;

    }

    demux0 {

    }

    lo0 {

    }

}

 

 

{master}

 

Thanks in advance!

 

Spyros

3 REPLIES 3
Highlighted
Routing

Re: Juniper MX Regular expressions and user permissions ACS 5.4

‎01-09-2014 09:43 AM

Hello there,

If You allow file read permissons to Your staff, then they can do from JUNOS CLI:

 

file show /config/juniper.conf.gz

 - which displays last committed config.

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: Juniper MX Regular expressions and user permissions ACS 5.4

‎01-12-2014 11:14 PM

Hi and thanks for replying!

 

This indeed works, but i believe it can only be used as a workaround.. Isnt there a way with attributes and regular expressions to make this work the right way? 

 

Just as a note, i have a local user on an MX router which has the following authorizaiton details

 

permissions [ configure network view view-configuration ];
allow-configuration-regexps "interface .*. description .*$";

 

and this works nicely. Hoever when i tried adding these as attribute and regular expression in ACS they do not work.

I tried permissions=configure, user-permissions=configure etc None worked.

 

 

Thanks again!

Highlighted
Routing

Re: Juniper MX Regular expressions and user permissions ACS 5.4

‎01-13-2014 12:12 AM

Just a side note, the user the acs is binded to is as follows:

 

user remote {
full-name "Remote Access Account";
uid 2015;
class super-user;

 

 

Feedback