Junos
Highlighted
Junos

PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

[ Edited ]
‎03-18-2020 11:42 AM

We have EX4300s and all the devices reject my TACACS+ logon even though TACACS+ (Cisco ACS) reports a successful logon to the Juniper device. PAM records an expired account error message. There is no local account on the switch with the same name. Any user who tries gets the exact same error message.

 

4 REPLIES 4
Highlighted
Junos

Re: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

‎03-18-2020 12:11 PM

Hi theslogan1962,

 

I hope you are doing great!

 

Can you please add the following command and let me know:

 

set system login user remote class super-user

 

Pablo,

Highlighted
Junos
Solution
Accepted by topic author theslogan1962
‎03-25-2020 07:57 AM

Re: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

‎03-19-2020 08:47 PM

Hi ,

 

Good day !

I guess the below link will be of great use to you .

 

https://www.juniper.net/documentation/en_US/junos13.1/topics/example/authentication-configuration-ta...

 

You need to create a user remote and all the user will get authenticated by TACACS will use that template .

 

Error is cause the user is successfully getting authenticated by TACACS but there is no remote profile hence your unable to login into the switch .

 

If the issue still persists , you can provide the configuration we can have a check .

Highlighted
Junos

Re: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

‎03-25-2020 07:58 AM

Thank you as what you showed me fixed the problem.

 

 

Highlighted
Junos

Re: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

[ Edited ]
‎03-25-2020 07:59 AM

Thank you Pablo as what you suggested got me to whre I wanted to be!

 

 

Feedback