All Topics » Pulse Policy Secure



Juniper MX Regular expressions and user permissions ACS 5.4


cpiro
Contributor (11)
Jan 9, 2014 1:53am

Hi everyone!

 

Im having some trouble with regular expressions and permissions on our Juniper MX routers through ACS 5.4, and i would like some insight/help/poitners!!

 

We have a team of engineers that should only have read only permissions (important: show configuration) and also be able to just change the description on interfaces.

Thus far with the following regular expressions set for the shell profile they are going through i have managed the above, however the problem is when an engineer inputs "Show configuration", only the interfaces descriptions configuration is shown! The rest of the configuration will not be printed.

 

 

deny-commands1=.*.

allow-commands1=configure

deny-configuration1=.*.

allow-commands2=interfaces .*. description .*$

allow-configuration1=interfaces .*. description .*$

allow-commands2=show configuration.*

allow-commands3=show configuration

 

(some of these regex i know that are not needed, i was just playing around to check everything before posting)

 

Any pointers as to why or how to resolve this?

 

 

example output with the above:

 

show configuration

## Last commit: 2014-01-09 09:34:44 EET by someone

interfaces {

    xe-0/0/0 {

    }

    xe-0/0/1 {

        description xxxx;

    }

    xe-0/1/0 {

        description xxxx;

    }

    xe-0/1/1 {

        description xxxx;

    }

    xe-0/2/0 {

        disable;

    }

    xe-0/2/1 {

        description xxxx;

    }

    xe-0/3/0 {

        description xxxx;

    }

    xe-0/3/1 {

        description xxxx;

    }

    ae0 {

        description "xxxx";

    }

    ae1 {

        description xxxx;

    }

    demux0 {

    }

    lo0 {

    }

}

 

 

{master}

 

Thanks in advance!

 

Spyros




apaul
Contributor (11)
Jan 9, 2014 3:08am

You have posted your query under the wrong Forum, You will need to post it under the appropriate forum. You can try posting this under the routing group. 

    cpiro
    Contributor (11)
    Jan 9, 2014 4:16am

    My bad! Thanks for indicating that ill post it there then!