Junos
Junos

JUNOS Tacacs Integration

06.24.08   |  
‎06-24-2008 12:33 PM

do Junos (M7i) support integration with Cisco Tacacs server !! if yes, can anyone please help me with the commands, i tried the following but didnt work

 

set system tacplus-server IPADDRESS single-connection secret xxxxx

set system authentication-order tacplus

 

Tariq Morad
11 REPLIES
Junos

Re: JUNOS Tacacs Integration

06.25.08   |  
‎06-25-2008 06:53 AM
Those are the right commands.  Can you describe a bit on how it failed?
Junos

Re: JUNOS Tacacs Integration

06.25.08   |  
‎06-25-2008 08:15 AM

it just didnt login with username/password stored on tacacs !! even local user stored on router failed, (glad to have commit confirmed command) Smiley Happy.

 

 what do you think the problem is, the tacacs server is working fine on many cisco routers, but this is the first juniper router within that network.

Tariq Morad
Highlighted
Junos

Re: JUNOS Tacacs Integration

06.25.08   |  
‎06-25-2008 10:55 AM

Did you remember to configure a template account so that when TACACS replies with success, the user will have a login class assigned?  Typically, most people will use the reserved username "remote" and assigned it a login class:

 

Ex.

 

system {

    login {

        user remote {

            full-name "Default for all users";

            uid 2001;

            class read-only;

        }

    }   

}

 

Junos

Re: JUNOS Tacacs Integration

[ Edited ]
06.25.08   |  
‎06-25-2008 03:48 PM

Arzo wrote:

it just didnt login with username/password stored on tacacs !! even local user stored on router failed, (glad to have commit confirmed command) Smiley Happy


Regarding local user account not working, notice the difference:

 

[edit]
system authentication-order tacplus;

"If a TACACS+ server is available, the JUNOS software will not try to use the password authentication...

 

and:

[edit]
system authentication-order [tacplus password];

"... provides a local user fallback mechanism ... when all TACACS+ servers are unavailable" or user fails to authenticate with TACACS+ (no user/bad password)

 

Next, follow robk's suggestion + some reading:

 

- Configuring Template Accounts for RADIUS and TACACS+ Authentication
- JUNOS RADIUS Authentication (yes, RADIUS, but useful info about template accounts)

 

What's your TACACS+ server ? Cisco ACS, tac_plus ?

 

Message Edited by xls on 06-26-2008 10:01 AM
Junos

Re: JUNOS Tacacs Integration

07.21.08   |  
‎07-21-2008 11:14 AM

In addition to the authentication-order [tacplus password], you need to build a local user with the appropriate permissions on the M7i, then map in TACACS to have your account or whomever's to use the permissions of that local account.  You map that in TACACS (at least v3.2) under the individual user, and setup a special attribute for JUNOS-EXEC with the attribute "local-user-name=xxxxx" where xxxx is the name of the user on the M7i.

 

Hope that helps...

 

Junos

Re: JUNOS Tacacs Integration

08.05.08   |  
‎08-05-2008 05:29 AM

I can login MX480 through TACACS ACS v3.2, but the TACACS doesn't return to the MX480 with user's attributes.

I mean all users can login as super user with no restrictions.

What can I do?

Junos

Re: JUNOS Tacacs Integration

10.13.11   |  
‎10-13-2011 08:49 PM

Dear All Pro,

 

I don't map on radius server or tacas+ on ACS server ( You map that in TACACS (at least v3.2) under the individual user, and setup a special attribute for JUNOS-EXEC with the attribute "local-user-name=xxxxx" where xxxx is the name of the user on the M7i.), please instruction me about this ( please guide me step by step is very good ).

 

Thanks very much.

Junos

Re: JUNOS Tacacs Integration

10.18.11   |  
‎10-18-2011 02:03 PM

This took a little work and I wrote a short how to on my website:

http://networkloafer.com/?page_id=104

 

You need to have these attributes in the tacacs+ server:

Attribute             Requirement            Value
vsys                    Optional                    remote (user id created on Junos)
Privilege            Optional                    remote

Thanks

 

Junos

Re: JUNOS Tacacs Integration

02.20.12   |  
‎02-20-2012 12:53 PM

Mate, read this 1329768699022, maybe it can help you; 

 

Cheers;Smiley Happy

Jose

Junos

Re: JUNOS Tacacs Integration

04.12.12   |  
‎04-12-2012 05:26 PM
dclarkjr1122

How did you come about matching "vsys" with remote and "privilege" with remote when it looks to me that "tacplus_user" is the login user that has the class permissions associated.

What we did in ACS4.2 was local-user-name = Engineer and on the JUNOS platform we had:
system login user Engineer
class Engineer
system login class Engineer permissions all

Additionally, we had a read-only account which referenced a class with view and view-configuration. But on the ACS profile we identified allow-commands and deny-commands within the custom attribute field.

In my case, unfortunately I am dealing with another group as I don't control my ACS appliance. I really need a step by step path to do this.

Thanks.
Junos

Re: JUNOS Tacacs Integration

06.26.13   |  
‎06-26-2013 08:26 AM
Very good guide for ACS 5.x : https://supportforums.cisco.com/message/3954494#3954494 be carefull 'vsys' attribute are for ScreenOS.