remote login authorization policy / config question

05.09.12   |  
‎05-09-2012 07:11 PM

I am new to Juniper.... a complete newb.   I appreciate the assistance and pointing me to supporting documentation so I can learn.  I am just not as comfortable with searching the KB yet, and couldn't quickly find supporting docs that discuss how this works.  Not familar with what resources are all available.  // And need to get something working in a couple days.


I am lab testing a Tacacs+ (tac_plus) install.   I suppose I have a few questions, but so far I am stuck on one issue...  as long as whatever AAA method (radius, tacacs) is available (up/online), the policy needs to be that method is the only available way to login.  That is, we will have a couple local users (shared) on the box for distater recovery / lockout protection... but all authentication needs to be done via a remote server.  The local logins should only be checked if the remote server is offline/unreachable.  Can this be acheived?   (Cisco did this either by default, or with no effort on my end, so I never explored the workings further.)   (And any 'best practice' suggestions to enforce no local users being configured by others? -- other than a third party configuration management tool to audit configs against policy.)


In other words, local login is only used if no other method is available.  If tacacs is online, the local users configured have no function (cannot be used to gain access at least).




my lab config:

maybe to kill two birds with one stone...

I am also looking for more info re the permissions, what/how the modes translate?

General best practices.  The below is just an example, I have not yet tried to set any real policy on it.

The thought was that "NOC1" would be mostly "read-only" type acess (I'd add another similar user for Rancid), NOC2 is more priviledged, ENG has full config access.  All users should be able to view the config though.  NOC2 to 'operate' in clearing processes, etc.



authentication-order [ tacplus password ];
tacplus-server {
10.0.X.Y {
secret "REMOVED"
timeout 3;
source-address A.B.C.D;



class ENG1 {

    permissions all;


class NOC1 {

    permissions [ interface maintenance routing ];

    allow-commands "show .*|ping.*|quit";

    deny-commands .*;


class NOC2 {

    permissions [ interface maintenance routing ];

    allow-commands "show .*|ping.*|request system snapshot|junoscript|quit";

    deny-commands .*;




user ENG1 {

    uid 2009;

    class ENG1;


user NOC1 {

    uid 2010;

    class NOC1;


user NOC2 {

    uid 2011;

    class NOC2;