[j-nsp] Junos tacacs+ authentication using Cisco ACS
edwin pua
edgpua at yahoo.com
Thu Dec 22 21:18:09 EST 2005
Hi Thomas,
Thanks for this config. One more thing, what did you set on the type of authentication in your Cisco ACS for your juniper router. Is it TACACS(Cisco IOS) or RADIUS(Juniper)?
rgds,
Edwin
"Thomas, Steven" <SThomas at birch.com> wrote:
We also use Windows based Cisco ACS tacacs. This works for us.
system {
authentication-order [ tacplus password ];
tacplus-server {
x.x.x.y {
secret "blahblahblah"; ## SECRET-DATA
timeout 5;
source-address x.x.y.x;
}
x.x.x.z {
secret "blahblahblah"; ## SECRET-DATA
timeout 5;
source-address x.x.y.x;
}
}
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus {
server {
x.x.x.y secret "$blahblahblah"; ## SE
CRET-DATA
}
}
}
class group1 {
permissions [ interface network routing snmp system view
firewall vi
ew-configuration ];
allow-commands "show log messages";
deny-commands "clear bgp*";
}
user NOC {
uid 2008;
class group1;
}
}
On the Cisco ACS side for a group of users with "NOC" group permissions
you turn on the Shell Command Authorization Set feature "Junos-exec" and
add a custom attribute of "local-user-name =NOC".
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of edwin pua
Sent: Thursday, December 22, 2005 12:40 AM
To: Jared Gull; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Junos tacacs+ authentication using Cisco ACS
Hi Jared,
Yes. My Cisco ACS server and juniper router are able to see each other
within our network.
My problem is, i'm not sure what else do i need to configure on the
Cisco ACS for the attribute values. Previously, my authentication works
fine using the freeware tacplus installed under linux server
"/etc/tacacs_config". And right now, we've changed our server to Cisco
ACS (window base).
I just wanted to know whether someone here had an experience
authenticating their juniper routers via tacacs using the Cisco ACS.
rgds,
Edwin
Jared Gull wrote:
Edwin,
The first thing I'd verify is that you have a route to
the server (192.168.2.1) and the server has a route
back to your source address (192.168.20.4). You could
test this by simply pinging the server address with
the source address specified. You will also, need to
verify the following:
- tacacs is specified in the authentication order.
For more information on this check the following URL:
http://www.juniper.net/techpubs/software/junos/junos74/junoscript74-ref-
config/html/summary-config289.html
- you will likely need to configure the remote user
account as specified in the URL below:
http://www.juniper.net/techpubs/software/junos/junos74/swconfig74-system
-basics/html/sys-mgmt-authentication6.html#1039222
- If after all of this is done and you're still having
problems, you should check the secret and make sure it
is set correctly on both sides (router and server) AND
verify there are no firewall filters applied to your
interfaces that may be causing communication issues.
Hope this helps.
Jared Gull
--- edwin pua wrote:
> Hi All,
>
> Just need your help on how will i make my juniper
> router authenticate using the Cisco ACS.
>
> I'm having some problem on my juniper router to
> communicate with our Cisco ACS. here's my config on
> the router:
>
> # Juniper configuration:
> tacplus-server {
> 192.168.2.1 {
> secret
> "$9$VAb4ZUDkPfzX7jqfzCA8X7Ns4UDkm5F"; ## SECRET-DATA
> single-connection;
> source-address 192.168.20.4;
> }
> }
> accounting {
> events interactive-commands;
> destination {
> tacplus {
> server {
> 192.168.2.1 secret
> "$9$hDecK8XxdsYoO17VYojiuO1IyKXxdw2a"; ##
> SECRET-DATA
> }
>
> user high {
> uid 3453;
> class superuser;
> }
> user low {
> uid 2341;
> class low_class;
>
>
> P.S. What else do i need to configure on my Cisco
> ACS?
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
---------------------------------
Yahoo! for Good - Make a difference this year.
More information about the juniper-nsp
mailing list