Hi every body,
I have trouble with Tacac server.
I could authen by Tacac successfully but the authorization is not successfull when i tested. I want deny the command "set interface xxx" but i still do that command when i do authorization on tacacs. Could somebody help me?
My tacac server is build from Centos.
My config on tacac server as below:
user = test01 {
login = PAM
service = junos-exec {
local-user-name = test01
#allow-commands = "<allow-commands-regex>"
#allow-configuration = "<allow-configuration-regex>"
#deny-commands = "<deny-commands-regex>"
deny-configuration = "set interfaces.*"
}
}
And here is my config on Junos
set system login class Viewonly permissions all
set system login user test01 uid 2021
set system login user test01 class Viewonly
set system tacplus-server 202.151.160.7 secret "$9$fQnCOBErK80BIcyKx724aGi."
set system tacplus-server 202.151.160.7 source-address 10.30.10.188
set system authentication-order tacplus
set system authentication-order password
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus
test01@Juniper-Lab> show cli authorization
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: (set interfaces.*)