 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The TACACS attributes listed in Table 15 are specific to Juniper Networks. They are specified in the TACACS+ server configuration file on a per-user basis. The JUNOS software retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. You do not need to configure these attributes to run the JUNOS software with TACACS+.
To specify these attributes, include a service statement of the following form in the TACACS+ server configuration file:
- service = junos-exec {
- local-user-name = <username-local-to-router>
- allow-commands = "<allow-commands-regex>"
- allow-configuration = "<allow-configuration-regex>"
- deny-commands = "<deny-commands-regex>"
- deny-configuration = "<deny-configuration-regex>"
- }
This service statement can appear in a user or group statement.
Table 15: Juniper Networks Vendor-Specific TACACS+ Attributes
|
Name |
Description |
Length |
String |
|---|---|---|---|
|
local-user-name |
Indicates the name of the user template used by this user when logging in to a device. |
≥3 |
One or more octets containing printable ASCII characters. |
|
allow-commands |
Contains an extended regular expression that allows the user to run operational mode commands in addition to those commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12. |
|
allow-configuration |
Contains an extended regular expression that allows the user to run configuration mode commands in addition to those commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13. |
|
deny-commands |
Contains an extended regular expression that denies the user permission to run operational mode commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12. |
|
deny-configuration |
Contains an extended regular expression that denies the user permission to run configuration mode commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13. |
|
user-permissions |
Contains information the server uses to specify user permissions. Note: When the user-permissions attribute is configured to grant the JUNOS maintenance or all permissions on a TACACS+ server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships . Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account. For information about configuring user template accounts, see Configuring Template Accounts for RADIUS and TACACS+ Authentication. |
≥3 |
One or more octets containing printable ASCII characters. See Table 11. |
| Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |