[j-nsp] Re: AAA on ERX to Cisco Secure ACS

Kim Onnel karim.adel at gmail.com
Mon Aug 1 15:15:40 EDT 2005


I need to do auhtorization to management on the box, everyoen connected now 
can do all level configurations, i need to restrict that, will ERX work with 
any open-source tacacs+ server ?

Does it work with Cisco Secure ACS ?

On 8/1/05, Peter Lundqvist <plundqvi at juniper.net> wrote:
> 
> 
> Not corrected, just an add...
> honestly i prefer syslog anyday for any logging, much easier to use
> with scripting etc...
> 
> 
> Thomas, Steven wrote:
> > I stand corrected. What code version is that? Its been a while since I
> > tried it, maybe I just didn't have the aaa statements right.
> >
> > -----Original Message-----
> > From: Peter Lundqvist [mailto:plundqvi at juniper.net]
> > Sent: Monday, August 01, 2005 10:40 AM
> > To: Thomas, Steven
> > Cc: Kim Onnel; juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] Re: AAA on ERX to Cisco Secure ACS
> >
> >
> > Of course it do Tacacs accounting
> >
> >
> > 17:37 lunkan at emanuel:~) ssh 192.168.0.66 <http://192.168.0.66>
> > User Access Verification
> > Username: erx
> > Password: ***
> > Logged in on vty 0 via SSH.
> > Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved.
> >
> > erx#sh subc
> >
> > erx#sh subscrib
> > erx#sh subscribers
> > Subscriber List
> > ---------------
> > Virtual
> > User Name Type Addr|Endpt Router
> > ------------------------ ----- -------------------- ------------
> > lunkan_ppp at lunkan.net tnl 1.1.1.5/l2tp <http://1.1.1.5/l2tp> default
> > User Name Interface
> > ------------------------ --------------------------------
> > lunkan_ppp at lunkan.net FastEthernet 2/3
> > User Name Login Time
> > ------------------------ -------------------
> > lunkan_ppp at lunkan.net 05/08/01 17:37:46
> >
> > erx#
> >
> >
> > Tacacs server
> > --------------
> > (17:36 lunkan at emanuel:/var/tmp) tail -f tacacs.acct
> > Mon Aug 1 17:37:06 2005 192.168.0.66 <http://192.168.0.66> erx vty0
> > 192.168.0.99 <http://192.168.0.99> start task_id=17826329 timezone=UTC
> > service=shell
> > Mon Aug 1 17:37:09 2005 192.168.0.66 <http://192.168.0.66> erx vty0
> > 192.168.0.99 <http://192.168.0.99> stop task_id=17826331 timezone=UTC
> > service=shell priv-lvl=0 cmd=exit <cr>
> > Mon Aug 1 17:37:09 2005 192.168.0.66 <http://192.168.0.66> erx vty0
> > 192.168.0.99 <http://192.168.0.99> stop task_id=17826329 timezone=UTC
> > service=shell elapsed_time=3
> > Mon Aug 1 17:37:52 2005 192.168.0.66 <http://192.168.0.66> erx vty0
> > 192.168.0.200 <http://192.168.0.200> start task_id=17826336 timezone=UTC
> > service=shell
> > Mon Aug 1 17:38:02 2005 192.168.0.66 <http://192.168.0.66> erx vty0
> > 192.168.0.200 <http://192.168.0.200> stop task_id=17826338 timezone=UTC
> > service=shell priv-lvl=5 cmd=show subscribers <cr>
> >
> >
> >
> >
> >
> >
> >
> >
> > Thomas, Steven wrote:
> >
> >>In my experience, the ERX does not do TACACs accounting. At least not
> >>in the Cisco sense. Assuming that you're wanting command line
> >>accounting, you have to use syslog. You can get CLI logging turned on
> >>and sent to a syslog server with the following commands:
> >>
> >> log destination syslog 10.38.232.16 <http://10.38.232.16> facility 7 
> severity debug
> >> log severity info cliCommand
> >>
> >>
> >>
> >>-----Original Message-----
> >>From: juniper-nsp-bounces at puck.nether.net
> >>[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Kim Onnel
> >>Sent: Sunday, July 31, 2005 5:21 AM
> >>To: juniper-nsp at puck.nether.net
> >>Subject: [j-nsp] Re: AAA on ERX to Cisco Secure ACS
> >>
> >>Hello, i have asked this question before, i would appreciate any tips
> >>about
> >>it.
> >>
> >>Regards
> >>
> >>On 6/28/05, Kim Onnel <karim.adel at gmail.com> wrote:
> >>
> >>
> >>>Hello,
> >>>
> >>>We have a c vendor based network, juniper is stepping in, we started
> >>
> >>with
> >>
> >>
> >>>an ERX and our TACACS is done from a Cisco Secure ACS software, its an
> >>
> >>old
> >>
> >>
> >>>version (3.1), i would like to be able to receive accounting and do
> >>>authorzation from there, the authentication is working though, has
> >>
> >>anyone
> >>
> >>
> >>>had any experience with this, how do i make the ACS juniper-enabled ?
> >>>
> >>>Regards
> >>>
> >>
> >>_______________________________________________
> >>juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>http://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >>_______________________________________________
> >>juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >
> 
> 
> --
> Peter Lundqvist - Beta Engineering
> Juniper Networks
> Mobile: +46702060472
> URL : http://www.juniper.net
>


More information about the juniper-nsp mailing list