Junos
Reply
Contributor
Arzo
Posts: 172
Registered: ‎11-12-2007
0

JUNOS Tacacs Integration

do Junos (M7i) support integration with Cisco Tacacs server !! if yes, can anyone please help me with the commands, i tried the following but didnt work

 

set system tacplus-server IPADDRESS single-connection secret xxxxx

set system authentication-order tacplus

 

Tariq Morad
Juniper Employee
robk
Posts: 3
Registered: ‎06-24-2008
0

Re: JUNOS Tacacs Integration

Those are the right commands.  Can you describe a bit on how it failed?
Contributor
Arzo
Posts: 172
Registered: ‎11-12-2007
0

Re: JUNOS Tacacs Integration

it just didnt login with username/password stored on tacacs !! even local user stored on router failed, (glad to have commit confirmed command) :smileyhappy:.

 

 what do you think the problem is, the tacacs server is working fine on many cisco routers, but this is the first juniper router within that network.

Tariq Morad
Juniper Employee
robk
Posts: 3
Registered: ‎06-24-2008
0

Re: JUNOS Tacacs Integration

Did you remember to configure a template account so that when TACACS replies with success, the user will have a login class assigned?  Typically, most people will use the reserved username "remote" and assigned it a login class:

 

Ex.

 

system {

    login {

        user remote {

            full-name "Default for all users";

            uid 2001;

            class read-only;

        }

    }   

}

 

xls
Contributor
xls
Posts: 10
Registered: ‎02-01-2008
0

Re: JUNOS Tacacs Integration

[ Edited ]

Arzo wrote:

it just didnt login with username/password stored on tacacs !! even local user stored on router failed, (glad to have commit confirmed command) :smileyhappy:


Regarding local user account not working, notice the difference:

 

[edit]
system authentication-order tacplus;

"If a TACACS+ server is available, the JUNOS software will not try to use the password authentication...

 

and:

[edit]
system authentication-order [tacplus password];

"... provides a local user fallback mechanism ... when all TACACS+ servers are unavailable" or user fails to authenticate with TACACS+ (no user/bad password)

 

Next, follow robk's suggestion + some reading:

 

- Configuring Template Accounts for RADIUS and TACACS+ Authentication
- JUNOS RADIUS Authentication (yes, RADIUS, but useful info about template accounts)

 

What's your TACACS+ server ? Cisco ACS, tac_plus ?

 

Message Edited by xls on 06-26-2008 10:01 AM
Regular Visitor
mperfct
Posts: 5
Registered: ‎06-19-2008
0

Re: JUNOS Tacacs Integration

In addition to the authentication-order [tacplus password], you need to build a local user with the appropriate permissions on the M7i, then map in TACACS to have your account or whomever's to use the permissions of that local account.  You map that in TACACS (at least v3.2) under the individual user, and setup a special attribute for JUNOS-EXEC with the attribute "local-user-name=xxxxx" where xxxx is the name of the user on the M7i.

 

Hope that helps...

 

ziv
Regular Visitor
ziv
Posts: 5
Registered: ‎08-05-2008
0

Re: JUNOS Tacacs Integration

I can login MX480 through TACACS ACS v3.2, but the TACACS doesn't return to the MX480 with user's attributes.

I mean all users can login as super user with no restrictions.

What can I do?

Regular Visitor
namson
Posts: 1
Registered: ‎08-08-2011
0

Re: JUNOS Tacacs Integration

Dear All Pro,

 

I don't map on radius server or tacas+ on ACS server ( You map that in TACACS (at least v3.2) under the individual user, and setup a special attribute for JUNOS-EXEC with the attribute "local-user-name=xxxxx" where xxxx is the name of the user on the M7i.), please instruction me about this ( please guide me step by step is very good ).

 

Thanks very much.

Contributor
dclarkjr1122
Posts: 27
Registered: ‎11-24-2009
0

Re: JUNOS Tacacs Integration

This took a little work and I wrote a short how to on my website:

http://networkloafer.com/?page_id=104

 

You need to have these attributes in the tacacs+ server:

Attribute             Requirement            Value
vsys                    Optional                    remote (user id created on Junos)
Privilege            Optional                    remote

Thanks

 

Visitor
jr742n
Posts: 5
Registered: ‎02-10-2012
0

Re: JUNOS Tacacs Integration

Mate, read this 1329768699022, maybe it can help you; 

 

Cheers;:smileyhappy:

Jose

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.