Use regular expressions to specify which operational or configuration mode commands are allowed or denied when using a RADIUS or TACACS+ server for user authentication. You can specify the regular expressions using the appropriate Juniper Networks vendor-specific TACACS+ or RADIUS attributes in your authentication server configuration.
You can specify the allow, deny configuration or operational mode commands, or user-permissions in a single extended regular expression, enclosing the multiple commands in parentheses and separating them using the pipe symbol: allow-commands= (cmd1 | cmd2 | cmdn).
On a TACACS+ or RADIUS server, you can also use a simplified version for regular expressions, where you specify each command as a separate expression. The simplified version is valid for the Juniper-Allow-Commands, Juniper-Deny-Commands, Juniper-Allow-Configuration, Juniper-Deny-Configuration, and Juniper-User-Permissions vendor-specific attributes:
- Juniper-Allow-Commands = "cmd1"
- Juniper-Allow-Commands = "cmd2"
- Juniper-Allow-Commands = "cmd n"
- Juniper-Deny-Commands = "cmd1"
- Juniper-Deny-Commands = "cmd2"
- Juniper-Deny-Commands = "cmd n"
- Juniper-Allow-Configuration = "cmd1"
- Juniper-Allow-Configuration = "cmd2"
- Juniper-Allow-Configuration = "cmd n"
- Juniper-Deny-Configuration = "cmd1"
- Juniper-Deny-Configuration = "cmd2"
- Juniper-Deny-Configuration = "cmd n"
- Juniper-User-Permissions = "cmd1"
- Juniper-User-Permissions = "cmd2"
- Juniper-User-Permissions = "cmd n"
For more information about Juniper Networks vendor-specific RADIUS and TACACS+ attributes, see Juniper Networks Vendor-Specific RADIUS Attributes and Configuring TACACS+ Authentication.
Note: When TACACS+ or RADIUS authentication is configured for a router, regular expressions configured on the RADIUS or TACACS+ server merge with any regular expressions configured on the local router at the [edit system login class] hierarchy level for the allow, deny, or permissions commands. If the final expression has a syntax error, the overall result is an invalid regular expression.