add examples as per Juniper documentation

author Alan T. DeKok <aland@freeradius.org>

Wed, 8 Jan 2025 13:58:37 +0000 (08:58 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Wed, 8 Jan 2025 14:09:59 +0000 (09:09 -0500)
author Alan T. DeKok <aland@freeradius.org>
Wed, 8 Jan 2025 13:58:37 +0000 (08:58 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Wed, 8 Jan 2025 14:09:59 +0000 (09:09 -0500)
diff --git a/share/dictionary/tacacs/dictionary.juniper b/share/dictionary/tacacs/dictionary.juniper

index dee162b6d1f267b6139cc74df28ecfae6e200c0d..51d363cecdd5e55d1a25c82f81ffb41cc1e0cfdd 100644 (file)
--- a/share/dictionary/tacacs/dictionary.juniper
+++ b/share/dictionary/tacacs/dictionary.juniper
@@ -8,6 +8,11 @@
  #
  #      https://www.juniper.net/documentation/en_US/junos13.1/topics/task/configuration/tacacs-authentication-configuring.html
  #
+#      Example contents of these attributes are documented on the Juniper site:
+#
+#      https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-tacacs-authentication.html#id-using-regular-expressions-on-a-radius-or-tacacs-server-to-allow-or-deny-access
+#
+#
  #      $Id$
  #
  ##############################################################################
@@ -18,21 +23,54 @@
  DEFINE local-user-name                                 string
  
  #
-# Regular expression to match allowed commands
+#  User permissions.
  #
-DEFINE allow-commands                                  string
+#      user-permissions = "flag1 flag2 flag3"
+#
+DEFINE user-permissions                                string
  
  #
-# Regular expression to match allowed configurations
+#  Each command is enclosed in parantheses:    "(cmd)"
  #
-DEFINE allow-configurations                            string
+#  Multiple commands are separated by a pipe:  "(one)|(two)"
+#
+#  The device will merge all of the regular expressions received from
+#  the local configuration, TACACS+ and RADIUS.
+#
+#  Each of the following commands also has a "regexps" variant. They use the same syntax
+#  as the non-"regexps" attributes, but they allow you to use variables in the regex.
+#
+#  What exactly that means is left undocumented by Juniper.
+#
+
+#
+#  Regular expression to match allowed commands
+#
+#      allow-commands = "(one)|(two)|(three)"
+#
+DEFINE allow-commands                                  string
+DEFINE allow-commands-regexps                          string
  
  #
-# Regular expression to match denied commands
+#  Regular expression to match denied commands
+#
+#      deny-commands = "(one)|(two)|(three)"
  #
  DEFINE deny-commands                                   string
+DEFINE deny-commands-regexps                           string
  
  #
-# Regular expression to match denied configurations
+#  Regular expression to match allowed configurations
+#
+#      allow-configurations = "(one thing)|(two)|(three thing)"
+#
+DEFINE allow-configurations                            string
+DEFINE allow-configurations-regexps                    string
+
+#
+#  Regular expression to match denied configurations
+#
+#      deny-configurations = "(one thing)|(two)|(three thing)"
  #
  DEFINE deny-configuration                              string
+DEFINE deny-configuration-regexps                      string
author	Alan T. DeKok <aland@freeradius.org>
	Wed, 8 Jan 2025 13:58:37 +0000 (08:58 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Wed, 8 Jan 2025 14:09:59 +0000 (09:09 -0500)