Screen OS

Title:  Configuration Example - Juniper SSG and Cisco ACS v5.x

Product:  Juniper SSG320M        (Cisco ACS v5.x)

Version:  ScreenOS 6.3.0r10.0    (Cisco ACS v5.2.0.26.8)

Network Topology:

      [Juniper SSG320M]-----[Cisco 3560 Switch]-----[Cisco ACS VM]

Description:

     Purpose - Authenticate SSG administrators using TACACS+ instead of local logins

     Description - This configuration is for Cisco ACS v5.x, JTAC only had the v3.3 configuration.

                             ACS v5.x is a Linux-based VM with a completely new user interface and structure.

Configuration:

  1. Add the Cisco ACS and TACACS+ configuration

     set auth-server CiscoACSv5 id 1
     set auth-server CiscoACSv5 server-name 192.168.1.100
     set auth-server CiscoACSv5 account-type admin
     set auth-server CiscoACSv5 type tacacs
     set auth-server CiscoACSv5 tacacs secret CiscoACSv5
     set auth-server CiscoACSv5 tacacs port 49
     set admin auth server CiscoACSv5
     set admin auth remote primary
     set admin auth remote root
     set admin privilege get-external

  Configure the Cisco ACS v5.x (GUI)
  1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
        Create the Juniper Shell Profile. 
        Click the [Create] button at the bottom of the page
                Select the General tab
                        Name:    Juniper
                        Description:  Custom Attributes for Juniper SSG320M
                Select the Custom Attributes tab

                    Add the vsys attribute:
                        Attribute:                vsys
                        Requirement:       Manadatory 
                        Value:                    root
                        Click the [Add^] button above the Attribute field

                    Add the privilege attribute:

                        Attribute:                privilege
                        Requirement:       Manadatory 
                        Value:                    root

                                Note: you can also use 'read-write' but then local admin doesn't work correctly
                        Click the [Add^] button above the Attribute field
                Click the [Submit] button at the bottom of the page

  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
        Create the Juniper Authorization Policy and filter by Device IP Address.
        Click the [Customize] button at the bottom Right of the page
                Under Customize Conditions, select Device IP Address from the left window
                        Click the [>] button to add it
                Click the [OK] button to close the window

                Click the [Create] button at the bottom of the page to create a new rule
                        Under General, name the new rule Juniper, and ensure it is Enabled
                        Under Conditions, check the box next to Device IP Address
                                Enter the ip address of the Juniper (192.168.1.100)
                        Under Results, click the [Select] button next to the Shell Profile field
                                Select 'Juniper' and click the [OK] button
                        Under Results, click the [Select] button below the Command Sets (if used) field
                                Select 'Permit All' and ensure all other boxes are UNCHECKED
                        Click the [OK] button to close the window
                Click the [OK] button at the bottom of the page to close the window
                Check the box next to the Juniper policy, then move the policy to the top of the list
                Click the [Save Changes] button at the bottom of the page

  Login to the Juniper CLI and GUI using an ACS Internal User account, and attempt to change something to verify privilege level.