SRX Services Gateway
Reply
Contributor
beerglass007
Posts: 14
Registered: ‎06-22-2011
0

Force TACACS

Hi all

 

I've enabled Tacacs on the SRX devices and all is working, but people can still login as root or any local account if they know the username and password.

 

With Cisco you can have a local account, but it will never autheciate agaisnt the local account if the Tacacs server is online.

 

Can you do the same with Junos > 10.4.R34 ??

 

I don't want users using root or any local account if Tacacs is enabled and working. The local account is only when Tacacs fails in my option

 

Thanks

 

 

CCNA CCNP JNCIA-JNCIS-JNCIP-SEC
Distinguished Expert
muttbarker
Posts: 2,362
Registered: ‎01-29-2008

Re: Force TACACS

The JUNOS comand "system authentication-order" can be used to help control whether or not local access is allowed. If you define the order as:

 

authentication order [ tacplus password ]

 

Then the local DB will ALWAYS be checked (in the definition order), regardless of the state of the TACACS server. However if you omit the password value from the authentication order then the TACACS will ONLY be checked and local DB will only be used if the TACACS server is unreachable.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Ahriakin
Posts: 30
Registered: ‎05-29-2011
0

Re: Force TACACS

I don't believe it's possible to make failed authorizations a terminating action, it will always work down the list. Personally I'd change the local passwords (and only have them for special fallback accounts) and store them securely in a location that no-one outside of your own authorized team can get to without executive permission, set logging alerts for when they are used (give a manager from each group that might need those credentials in times of emergency access to them, with the understanding it's a break-the-glass-in-case-of-fire deal that will need to be justified following use).

It would be nice to have a parameter for the list to enforce failure if desired.

Distinguished Expert
muttbarker
Posts: 2,362
Registered: ‎01-29-2008

Re: Force TACACS

If you are saying that the box will ALWAYS check the local password DB if the TACACS or RADIUS login fails due to an invalid authentication then you are incorrect. It is, as I stated above configuration dependent. Omitting the local password DB from the authentication order ensures that it is only checked if the actual prior specified objects (TACACS, RADIUS) are not physically reachable.

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Ahriakin
Posts: 30
Registered: ‎05-29-2011
0

Re: Force TACACS

Just labbed it up and yep you're correct. Apologies still new to Juniper and everything I'd read so far led to the above.

Distinguished Expert
muttbarker
Posts: 2,362
Registered: ‎01-29-2008
0

Re: Force TACACS

No problem :smileyhappy:

 

And welcome to the world of JUNOS!

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.