SRX Services Gateway
Reply
New User
Pradip Das
Posts: 1
Registered: ‎02-28-2011
0

Tacacs Configuration of SRX 210 Juniper Router

[ Edited ]

Pls let us know,  how would I configure  Tacacs authentication on Juniper SRX-210 Router.

Current Tacacs Version 3.2

SRX 210 version 10.1R2.8

Regular Visitor
Hassan
Posts: 1
Registered: ‎05-08-2008
0

Re: Tacacs Configuration of SRX 210 Juniper Router

I believe SRX210 is a firewall capable of routing. Following is tac config for SRX with the assumption that your tacplus server is already configured:

 

set system authentication-order tacplus
set system authentication-order password
set system tacplus-server tac-serv-ip secret "key"     /* secret key configured on the server*/
set system tacplus-server tac-serv-ip source-address "source-interface-ip-on-srx"
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus

 

# Do create fall back user(s) locally on the srx for events when tac server isnt accesible

 

 

Trusted Contributor
Aigarz
Posts: 54
Registered: ‎02-21-2011
0

Re: Tacacs Configuration of SRX 210 Juniper Router

in addition to Hassans post, you have to add remote user to allow remote tacacs user connections

 

set system login user remote full-name "Tacacs+ template for remote access"
set system login user remote class super-user

Trusted Contributor
BuckWeet
Posts: 159
Registered: ‎08-29-2008
0

Re: Tacacs Configuration of SRX 210 Juniper Router

I do it a bit differently.. Below is my configuration, but I also use access-restrictions on the tacacs user profile. Below I used the name TACACS for the login account, which needs to be specified in the ACS user/group profile under the custom service. By default it JUNOS goes to remote I believe.

 

}      

 

tacplus-server {

    192.168.1.12 {

        secret "$9$9JbVpu1eK87ds"; ## SECRET-DATA

        source-address 10.1.1.1;

    }

}

accounting {

    events [ login change-log interactive-commands ];

    destination {

        tacplus {

            server {

                192.168.1.12 {

                    secret "$9$HmPQtpBESe"; ## SECRET-DATA

                    source-address 10.1.1.1;

                }

            }

        }

    }

}

login {

    class super-user-local {

        idle-timeout 15;

        permissions all;

    }

    user TACACS {

        uid 2002;

        class super-user-local;

    }

Contributor
Ahriakin
Posts: 30
Registered: ‎05-29-2011
0

Re: Tacacs Configuration of SRX 210 Juniper Router

Depending on your needs you can also setup local users with the same username as held in the User Database your TACACS service is using for authentication, then assign them to the local class you prefer. We are currently using this for all super-user level accounts, and then the generic Remote template user with a custom class (custom permissions/command set) for anyone else authenticated via TACACS.

New User
prakin382
Posts: 1
Registered: ‎09-06-2012
0

Re: Tacacs Configuration of SRX 210 Juniper Router

Hey ...

 

Looking at the configuration above ....Do we need to create an user account named  "remote" on the TACACS+ server?

 

can we create a different  user account  on the TACACS+ and login to the SRX with the user account created in TACACS+

or

Do we need to have account on SRX 210 and TACACS+ server for a user to login into the box....

 

Please help.

Thanks

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.