Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands

Use regular expressions to specify which operational or configuration mode commands are allowed or denied when you use a RADIUS or TACACS+ server for user authentication. You can specify the regular expressions using the appropriate Juniper Networks vendor-specific RADIUS or TACACS+ attributes in your authentication server configuration.

You can specify allow-configuration, deny-configuration, allow-commands, or deny-commands in a single extended regular expression, enclosing multiple commands in parentheses and separating them using the pipe symbol. For example, you can specify multiple allow-commands parameters using: allow-commands= (cmd1 | cmd2 | cmdn). You can specify user-permissions as a list of comma-separated values, and not as a regular expression.

On a RADIUS or TACACS+ server, you can also use a simplified version for regular expressions where you specify each individual expression on a separate line. The simplified version is valid for allow-commands, deny-commands, allow-configuration, deny-configuration, and permissions vendor-specific attributes.

For a RADIUS server, specify the individual regular expressions using the following syntax:

Juniper-Allow-Commands+="cmd1"Juniper-Allow-Commands+="cmd2"Juniper-Allow-Commands+="cmdn"Juniper-Deny-Commands+="cmd1"Juniper-Deny-Commands+="cmd2"Juniper-Deny-Commands+="cmdn"Juniper-Allow-Configuration+="regex1"Juniper-Allow-Configuration+="regex2"Juniper-Allow-Configuration+="regexn"Juniper-Deny-Configuration+="regex1"Juniper-Deny-Configuration+="regex2"Juniper-Deny-Configuration+="regexn"Juniper-User-Permissions+="permission-flag1"Juniper-User-Permissions+="permission-flag2"Juniper-User-Permissions+="permission-flagn"

For a TACACS+ server, specify the individual regular expressions using the following syntax:

allow-commands1="cmd1"allow-commands2="cmd2"allow-commandsn="cmdn"deny-commands1="cmd1"deny-commands2="cmd2"deny-commandsn="cmdn"allow-configuration1="regex1"allow-configuration2="regex2"allow-configurationn="regexn"deny-configuration1="regex1"deny-configuration2="regex2"deny-configurationn="regexn"user-permissions1="permission-flag1"user-permissions2="permission-flag2"user-permissionsn="permission-flagn "
  • Numeric values 1 to n in the syntax (for a TACACS+ server) must be unique but need not be sequential. For example, the following syntax is valid:
    allow-commands1="cmd1"allow-commands3="cmd3"allow-commands2="cmd2"deny-commands3="cmd3"deny-commands2="cmd2"deny-commands1="cmd1"
  • The limit on the number of lines of individual regular expressions is imposed by the TACACS+ or RADIUS server.
  • When you issue the show cli authorization command, the command output displays the regular expression in a single line, even if you specify each individual expression on a separate line.

For more information about Juniper Networks vendor-specific RADIUS and TACACS+ attributes, see Juniper Networks Vendor-Specific RADIUS Attributes and Juniper Networks Vendor-Specific TACACS+ Attributes.

Note: When RADIUS or TACACS+ authentication is configured for a router, regular expressions configured on the RADIUS or TACACS+ server merge with any regular expressions configured on the local router at the [edit system login class] hierarchy level using the allow-commands, deny-commands, allow-configuration, deny-configuration, or permissions statements. If the final expression has a syntax error, the overall result is an invalid regular expression.

 

Related Documentation

 

Published: 2013-08-15

Previous Page Next Page