Junos
Highlighted
Junos

TACACS+ does not work with SSH Firewall Filter

[ Edited ]
‎02-21-2018 04:39 PM

Hello, I am trying to limit SSH access to a switch from a list of prefixes, and at the same time utilize TACACS+ for authentication.

 

I have an EX-2200 that I have defined a prefix-list with a few subnets, and have applied it to a vlan.

 

set policy-options prefix-list SSH X.X.X.80/28

set policy-options prefix-list SSH X.X.X.240/28

set firewall family inet filter SSH term allow-ssh from prefix-list SSH
set firewall family inet filter SSH term allow-ssh from destination-port ssh
set firewall family inet filter SSH term allow-ssh then accept

set interfaces vlan unit 4 family inet filter input SSH

 

The firewall filter works for allowing SSH access to the switch, but it appears to fail at authenticating my TACACS+ credentials. When I use a local user to the switch, I am able to SSH into it with out problem with the firewall filter applied. But using a TACACS+ credential, it continually fails saying the password is incorrect.

 

When I do not have the firewall filter in place, the TACACS authentication works like a charm.

 

Any thoughts on what might be the hangup here? Thanks!

3 REPLIES 3
Highlighted
Junos

Re: TACACS+ does not work with SSH Firewall Filter

‎02-21-2018 06:12 PM

Hi,

 

Likely everything other than tcp/22 is being blocked as well with your filter.

 

You have two options;

 

1. add a term to deny other networks access to tcp/22 and permit everything else

2. explicitly permit all of the other ports/protocols that you require include tacacs

 

ie for option 1

set firewall family inet filter SSH term allow-ssh from prefix-list SSH
set firewall family inet filter SSH term allow-ssh from destination-port ssh
set firewall family inet filter SSH term allow-ssh then accept

set firewall family inet filter SSH term block-ssh from destination-port ssh
set firewall family inet filter SSH term block-ssh then discard

set firewall family inet filter SSH term allow-rest then accept

 

Tim

 

Highlighted
Junos

Re: TACACS+ does not work with SSH Firewall Filter

‎02-21-2018 10:30 PM

I assume that vlan 4 (where you are applying the filter) is just used for management and TACACS+ authentication traffic.

 

Since you are defining the filter, with only SSH allow term; the filter is denying all the other traffic.

 

You may change is like this to have ssh access and tacacs+ authentication working.

I also assume that, the prefix list has your TACACs server ip address in the range configured.

 

set policy-options prefix-list SSH X.X.X.80/28

set policy-options prefix-list SSH X.X.X.240/28

 

set firewall family inet filter SSH term allow-tacplus from prefix-list SSH
set firewall family inet filter SSH term allow-tacplus from destination-port 49 (default tacplus port)
set firewall family inet filter SSH term allow-tacplus then accept

set firewall family inet filter SSH term allow-ssh from prefix-list SSH
set firewall family inet filter SSH term allow-ssh from destination-port ssh
set firewall family inet filter SSH term allow-ssh then accept

set interfaces vlan unit 4 family inet filter input SSH

 


*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
Highlighted
Junos

Re: TACACS+ does not work with SSH Firewall Filter

‎02-22-2018 04:28 PM

Thanks thynard. You were right. I knew there was something up with the firewall rule, and that it did seem to be blocking all other traffic. So after I added your configuration, everything started working perfectly. Thanks again!