[j-nsp] Re: AAA on ERX to Cisco Secure ACS

Peter Lundqvist plundqvi at juniper.net
Mon Aug 1 15:33:58 EDT 2005


Not sure about Cisco payable servers... below is from my lab tac_plus 
share/freeware server... here i use the levels

FreeBSD server
--------------
(21:19 lunkan at oskar:/etc) more /usr/local/etc/tac_plus.conf
group = erx_su {
         default service = permit
         service = exec {
                 priv-lvl = 10 <<<
         }
}
group = erx_guest {
         default service = permit
         service = exec {
                 priv-lvl = 2 <<<
         }
}
user = erx {
         login = cleartext erx
         member = erx_su
}
user = erx_noc {
         login = cleartext erx_noc
         member = erx_guest
}
[...]



The the Router setup
--------------------
aaa new-model
aaa authentication login default tacacs+ none
aaa authentication login home none
aaa authentication enable default none
aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 0 default tacacs+ if-authenticated
aaa authorization commands 1 default tacacs+ if-authenticated
aaa authorization commands 2 default tacacs+ if-authenticated
aaa authorization commands 3 default tacacs+ if-authenticated
aaa authorization commands 4 default tacacs+ if-authenticated
aaa authorization commands 5 default tacacs+ if-authenticated
aaa authorization commands 10 default tacacs+ if-authenticated
aaa accounting exec default start-stop tacacs+
aaa accounting commands 0 default stop-only tacacs+
aaa accounting commands 1 default stop-only tacacs+
aaa accounting commands 2 default stop-only tacacs+
aaa accounting commands 3 default stop-only tacacs+
aaa accounting commands 4 default stop-only tacacs+
aaa accounting commands 5 default stop-only tacacs+
aaa accounting commands 10 default stop-only tacacs+
aaa accounting commands 15 default stop-only tacacs+
aaa local database default
aaa local username lunkan database default
password lunkan
!
line vty 0 4
authorization exec default
authorization commands 0 default
authorization commands 1 default
authorization commands 2 default
authorization commands 3 default
authorization commands 4 default
authorization commands 5 default
authorization commands 10 default
authorization commands 15 default
!
line console 0
  login authentication home
!
tacacs-server source-address 1.1.1.9
tacacs-server host 1.0.8.200 key lunkan primary
tacacs-server host 192.168.1.111 key lunkan













Kim Onnel wrote:
> I need to do auhtorization to management on the box, everyoen connected now 
> can do all level configurations, i need to restrict that, will ERX work with 
> any open-source tacacs+ server ?
> 
> Does it work with Cisco Secure ACS ?
> 
> On 8/1/05, Peter Lundqvist <plundqvi at juniper.net> wrote:
> 
>>
>>Not corrected, just an add...
>>honestly i prefer syslog anyday for any logging, much easier to use
>>with scripting etc...
>>
>>
>>Thomas, Steven wrote:
>>
>>>I stand corrected. What code version is that? Its been a while since I
>>>tried it, maybe I just didn't have the aaa statements right.
>>>
>>>-----Original Message-----
>>>From: Peter Lundqvist [mailto:plundqvi at juniper.net]
>>>Sent: Monday, August 01, 2005 10:40 AM
>>>To: Thomas, Steven
>>>Cc: Kim Onnel; juniper-nsp at puck.nether.net
>>>Subject: Re: [j-nsp] Re: AAA on ERX to Cisco Secure ACS
>>>
>>>
>>>Of course it do Tacacs accounting
>>>
>>>
>>>17:37 lunkan at emanuel:~) ssh 192.168.0.66 <http://192.168.0.66>
>>>User Access Verification
>>>Username: erx
>>>Password: ***
>>>Logged in on vty 0 via SSH.
>>>Copyright (c) 1999-2005 Juniper Networks, Inc. All rights reserved.
>>>
>>>erx#sh subc
>>>
>>>erx#sh subscrib
>>>erx#sh subscribers
>>>Subscriber List
>>>---------------
>>>Virtual
>>>User Name Type Addr|Endpt Router
>>>------------------------ ----- -------------------- ------------
>>>lunkan_ppp at lunkan.net tnl 1.1.1.5/l2tp <http://1.1.1.5/l2tp> default
>>>User Name Interface
>>>------------------------ --------------------------------
>>>lunkan_ppp at lunkan.net FastEthernet 2/3
>>>User Name Login Time
>>>------------------------ -------------------
>>>lunkan_ppp at lunkan.net 05/08/01 17:37:46
>>>
>>>erx#
>>>
>>>
>>>Tacacs server
>>>--------------
>>>(17:36 lunkan at emanuel:/var/tmp) tail -f tacacs.acct
>>>Mon Aug 1 17:37:06 2005 192.168.0.66 <http://192.168.0.66> erx vty0
>>>192.168.0.99 <http://192.168.0.99> start task_id=17826329 timezone=UTC
>>>service=shell
>>>Mon Aug 1 17:37:09 2005 192.168.0.66 <http://192.168.0.66> erx vty0
>>>192.168.0.99 <http://192.168.0.99> stop task_id=17826331 timezone=UTC
>>>service=shell priv-lvl=0 cmd=exit <cr>
>>>Mon Aug 1 17:37:09 2005 192.168.0.66 <http://192.168.0.66> erx vty0
>>>192.168.0.99 <http://192.168.0.99> stop task_id=17826329 timezone=UTC
>>>service=shell elapsed_time=3
>>>Mon Aug 1 17:37:52 2005 192.168.0.66 <http://192.168.0.66> erx vty0
>>>192.168.0.200 <http://192.168.0.200> start task_id=17826336 timezone=UTC
>>>service=shell
>>>Mon Aug 1 17:38:02 2005 192.168.0.66 <http://192.168.0.66> erx vty0
>>>192.168.0.200 <http://192.168.0.200> stop task_id=17826338 timezone=UTC
>>>service=shell priv-lvl=5 cmd=show subscribers <cr>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>Thomas, Steven wrote:
>>>
>>>
>>>>In my experience, the ERX does not do TACACs accounting. At least not
>>>>in the Cisco sense. Assuming that you're wanting command line
>>>>accounting, you have to use syslog. You can get CLI logging turned on
>>>>and sent to a syslog server with the following commands:
>>>>
>>>>log destination syslog 10.38.232.16 <http://10.38.232.16> facility 7 
>>
>>severity debug
>>
>>>>log severity info cliCommand
>>>>
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: juniper-nsp-bounces at puck.nether.net
>>>>[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Kim Onnel
>>>>Sent: Sunday, July 31, 2005 5:21 AM
>>>>To: juniper-nsp at puck.nether.net
>>>>Subject: [j-nsp] Re: AAA on ERX to Cisco Secure ACS
>>>>
>>>>Hello, i have asked this question before, i would appreciate any tips
>>>>about
>>>>it.
>>>>
>>>>Regards
>>>>
>>>>On 6/28/05, Kim Onnel <karim.adel at gmail.com> wrote:
>>>>
>>>>
>>>>
>>>>>Hello,
>>>>>
>>>>>We have a c vendor based network, juniper is stepping in, we started
>>>>
>>>>with
>>>>
>>>>
>>>>
>>>>>an ERX and our TACACS is done from a Cisco Secure ACS software, its an
>>>>
>>>>old
>>>>
>>>>
>>>>
>>>>>version (3.1), i would like to be able to receive accounting and do
>>>>>authorzation from there, the authentication is working though, has
>>>>
>>>>anyone
>>>>
>>>>
>>>>
>>>>>had any experience with this, how do i make the ACS juniper-enabled ?
>>>>>
>>>>>Regards
>>>>>
>>>>
>>>>_______________________________________________
>>>>juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>http://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>>_______________________________________________
>>>>juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>http://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>>
>>
>>--
>>Peter Lundqvist - Beta Engineering
>>Juniper Networks
>>Mobile: +46702060472
>>URL : http://www.juniper.net
>>
> 
> 


-- 
Peter Lundqvist - Beta Engineering
Juniper Networks
Mobile: +46702060472
URL   : http://www.juniper.net


More information about the juniper-nsp mailing list