Configuration Library
Highlighted
Configuration Library

EX Cisco TACACS Authentication

‎11-27-2010 08:30 AM

Title: EX Cisco TACACS Authentication

Product: EX Switches

Version: EX3200 10.0S6.1 Tested

Network Topology: EX3200, Cisco TACACS Server

Description: the following configuration provides a method of authenticating Administrators against a Cisco TACACS Server.

Configuration:

/The authentication order provides fail back to local password if the TACACS is unavailable.  The server is the IP of the Cisco TACACS box and the source address is the IP of the switch.  The IP, secret and login user must match what's configured on the TACACS box (see below).

system {
    authentication-order [ tacplus password ];
    }
    tacplus-server {
        192.168.1.20 {
            secret XXXXXX
            source-address 192.168.1.5
        }
    }
    login {
        user johndoe {
            uid 2001;
            class super-user;

TACACS Instructions:
1. Login to the UI.
2. Click on Network Configuration and add a AAA client.
3. Specify the IP used in the "source-address" command above.  Enter the Secret Key and select Authenticate using "TACACS+ (Cisco IOS)".
4. Click Submit + Apply.
5. Click User Setup and add the appropriate user.  Be sure to select the ACS Internal Database type and add them to the proper group configured for TACACS.

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
3 REPLIES 3
Highlighted
Configuration Library

Re: EX Cisco TACACS Authentication

‎12-02-2010 01:07 PM

hi,

 

Good topic,  a lot of networks have Cisco and use TACACS+ (Cisco Secure Access Control Server - ACS).

Small correction/clarification:

 

 

authentication-order [ tacplus password ];

 

 

'The authentication order provides fail back to local password if the TACACS is unavailable'  OR if it returns a reject response. If we just need local password as a fallback mechanism only if TACACS is dead, we mustn't include the 'password' authentication method.

 

More info at http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/swconfig-syste...

Highlighted
Configuration Library

Re: EX Cisco TACACS Authentication

‎12-04-2010 07:30 AM

Thanks for the clarification.

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Highlighted
Configuration Library

Re: EX Cisco TACACS Authentication

‎04-28-2011 12:27 AM
if your using Cisco ACS, you will need the servuce configured for TACACS auth to work Under "Interface Configuration" go to TACACS+(Cisco IOS) then under the service tick "Shell(exec)" Then New Service Tick "Group" Then define this service "junos-exec"