SRX

Hi,

I am configuring a TACACS+ Server on Ubuntu jaunty server machine to authentication a network of more than 100 SRX firewalls.  I want to get all my SRX650 users authenticated from this machine from Ubuntu's /etc/passwod file so i mentioned following in the tacacs.conf file

default authentication = file /etc/passwd

now my proble is that i can not control rights (authorize) users as they are local OS users, not the users specified in tacacs.conf file ..

how can authorize users on TACACS server, which are /etc/passwd based users

Urgent help is required

bye

In tacacs+, you can define three following types of authentication

default authentication = file /etc/passwd

default authentication = pam pap 

default authentication = db <mysql> 

if you are using /etc/passwd based authentication, then you should keep following things in mind,

1. All linux accounts usernames/password (including root) will be able to SRX firewalls

2. You can NOT define permissions / authorization in "tac_plus.cfg" or "tacacs.conf" file, as you normally do, e.g.

  service = junos-exec{

     local-user-name = <username-local-to-router>

     allow-commands = "<allow-commands-regex>"

     allow-configuration = "<allow-configuration-regex>"

     deny-commands = "<deny-commands-regex>"

     deny-configuration = "<deny-configuration-regex>"

  }

3. In order to authorize the users, better way is that you override the tacacs authorization and define your own user class in SRX / JunOS, e.g.

set system login class operations-group permissions network
set system login class operations-group permissions view
set system login user operations full-name “Users with Limited Access”
set system login user operations class operations-group

4. In this way, your authentication will be done by linux based TACACS server, however, permissions will be granted by SRX / JunOS

regards

thanks rasmus, I have tested the solution you  proposed, it works, now i am able to authentication using ubuntu and authorize by JunOS.

But now my question is, is there any option i could configure authorization on TACACS server as well. Sorry for bugging .. 🙂

graitude

uzee

Hi every body,

I have trouble with Tacac server.

I could authen by Tacac successfully but the authorization is not successfull when i tested. I want deny the command "set interface xxx" but i still do that command when i do authorization on tacacs. Could somebody help me?

My tacac server is build from Centos.

My config on tacac server as below:

user = test01 {
login = PAM
service = junos-exec {
local-user-name = test01
#allow-commands = "<allow-commands-regex>"
#allow-configuration = "<allow-configuration-regex>"
#deny-commands = "<deny-commands-regex>"
deny-configuration = "set interfaces.*"
}
}

And here is my config on Junos

set system login class Viewonly permissions all

set system login user test01 uid 2021
set system login user test01 class Viewonly

set system tacplus-server 202.151.160.7 secret "$9$fQnCOBErK80BIcyKx724aGi."
set system tacplus-server 202.151.160.7 source-address 10.30.10.188

set system authentication-order tacplus
set system authentication-order password

set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus

test01@Juniper-Lab> show cli authorization

Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: (set interfaces.*)