it just didnt login with username/password stored on tacacs !! even local user stored on router failed, (glad to have commit confirmed command) .

 what do you think the problem is, the tacacs server is working fine on many cisco routers, but this is the first juniper router within that network.

Did you remember to configure a template account so that when TACACS replies with success, the user will have a login class assigned?  Typically, most people will use the reserved username "remote" and assigned it a login class:

Ex.

system {

    login {

        user remote {

            full-name "Default for all users";

            uid 2001;

            class read-only;

        }

    }   

---

Arzo wrote:

it just didnt login with username/password stored on tacacs !! even local user stored on router failed, (glad to have commit confirmed command)

---

Regarding local user account not working, notice the difference:

[edit]
system authentication-order tacplus;

"If a TACACS+ server is available, the JUNOS software will not try to use the password authentication...

and:

[edit]
system authentication-order [tacplus password];

"... provides a local user fallback mechanism ... when all TACACS+ servers are unavailable" or user fails to authenticate with TACACS+ (no user/bad password)

Next, follow robk's suggestion + some reading:

- Configuring Template Accounts for RADIUS and TACACS+ Authentication
- JUNOS RADIUS Authentication (yes, RADIUS, but useful info about template accounts)

What's your TACACS+ server ? Cisco ACS, tac_plus ?

In addition to the authentication-order [tacplus password], you need to build a local user with the appropriate permissions on the M7i, then map in TACACS to have your account or whomever's to use the permissions of that local account.  You map that in TACACS (at least v3.2) under the individual user, and setup a special attribute for JUNOS-EXEC with the attribute "local-user-name=xxxxx" where xxxx is the name of the user on the M7i.

Hope that helps...

I can login MX480 through TACACS ACS v3.2, but the TACACS doesn't return to the MX480 with user's attributes.

I mean all users can login as super user with no restrictions.

What can I do?

Dear All Pro,

I don't map on radius server or tacas+ on ACS server ( You map that in TACACS (at least v3.2) under the individual user, and setup a special attribute for JUNOS-EXEC with the attribute "local-user-name=xxxxx" where xxxx is the name of the user on the M7i.), please instruction me about this ( please guide me step by step is very good ).

Thanks very much.

This took a little work and I wrote a short how to on my website:

http://networkloafer.com/?page_id=104

You need to have these attributes in the tacacs+ server:

Attribute             Requirement            Value
vsys                    Optional                    remote (user id created on Junos)
Privilege            Optional                    remote

Thanks