[j-nsp] SecurID- Cisco ACS - Tacacs+ - Juniper

Johnson, Matthew (Matthew) johnsonm at lucent.com
Sat Oct 15 06:51:37 EDT 2005 

Brian,

worth turning on tacacs accounting for further information on the Cisco ACS server.

system tacplus-server 
10.10.10.10 {
    port 49;
    secret "dztocmve4096xdgl"; ## SECRET-DATA
    timeout 3;
    source-address 10.2.2.2;
}
system accounting
events [ login change-log interactive-commands ];
destination {
    tacplus {
        server {
            10.10.10.10 {
                port 49;
                secret "dztocmve4096xdgl"; ## SECRET-DATA
                timeout 3;
                single-connection;
                source-address 10.2.2.2;
            }
        }
    }
}

This accounting information might not show in the accounting report but in the administration report as login / logout detail.

In addition it might be work checking the authentication against the Cisco ACS first before adding the additional step for Securid.

Regards

Matt

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Brian McGehee
Sent: 14 October 2005 23:55
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] SecurID- Cisco ACS - Tacacs+ - Juniper


Hi, looking for some help/guidance.  Trying to get Juniper M5 w/ JUNOS
6.4r2.4 to authenticate using my Cisco ACS server and SecurID.  When
attempting to login, Securid logs shows passcode accepted.  Cisco ACS
shows passed authentication, but Juniper log shows:

 

Oct 15 08:18:13  lab-JuniperM5-rt1 login:
LOGIN_PAM_AUTHENTICATION_ERROR: PAM authentication error for user
qatest1

Oct 15 08:18:13  lab-JuniperM5-rt1 login: LOGIN_FAILED: Login failed for
user qatest1 from host 10.255.136.110

 

Here is junos config:

    tacplus-server {

        10.255.132.87 {

            secret "$9$j5H.5u0IEhr/C0IESMW"; ## SECRET-DATA

            source-address 10.255.1.99;

        }

    }

    login {

        class tacacs {

            permissions all;

        }

        user remote {

            full-name "All tacacs users;";

            uid 9999;

            class tacacs;

        }

    }

 

I have seen in the docs that you do not need to configure the JUNOS
attributes to run w/ tacacs+ (so I don't want to... unless I have to.)
I'm really not sure where in Cisco ACS to include these if they are
required.

 

Your assistance is appreciated.

 

Sincerely,

Brian McGehee

Opsware, Inc.

425.636.2148 x294

 

"Men never do evil so completely and cheerfully as when they do it from
a religious conviction" - Blaise Pascal

 

 

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list