Using Regular Expressions to Allow or Deny Access to Commands

Use regular expressions to specify which operational or configuration mode commands are allowed or denied when using a RADIUS or TACACS+ server for user authentication. You can specify the regular expressions using the appropriate Juniper Networks vendor-specific TACACS+ or RADIUS attributes in your authentication server configuration.

You can specify the allow, deny configuration or operational mode commands, or user-permissions in a single extended regular expression, enclosing the multiple commands in parentheses and separating them using the pipe symbol: allow-commands= (cmd1 | cmd2 | cmdn).

On a TACACS+ or RADIUS server, you can also use a simplified version for regular expressions, where you specify each command as a separate expression. The simplified version is valid for the Juniper-Allow-Commands, Juniper-Deny-Commands, Juniper-Allow-Configuration, Juniper-Deny-Configuration, and Juniper-User-Permissions vendor-specific attributes:

For more information about Juniper Networks vendor-specific RADIUS and TACACS+ attributes, see Configuring Juniper Networks Vendor-Specific RADIUS Attributes and Configuring Juniper Networks Vendor-Specific TACACS+ Attributes.

Note: When TACACS+ or RADIUS authentication is configured for a router, regular expressions configured on the RADIUS or TACACS+ server merge with any regular expressions configured on the local router at the [edit system login class] hierarchy level for the allow, deny, or permissions commands. If the final expression has a syntax error, the overall result is an invalid regular expression.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.