[j-nsp] SecurID- Cisco ACS - Tacacs+ - Juniper
Brian McGehee
bmcgehee at opsware.com
Wed Oct 26 15:44:43 EDT 2005
Thank you! Looking at log, it was as simple as increasing my timeout to
resolve.
-----Original Message-----
From: Johnson, Matthew (Matthew) [mailto:johnsonm at lucent.com]
Sent: Saturday, October 15, 2005 3:52 AM
To: Brian McGehee; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] SecurID- Cisco ACS - Tacacs+ - Juniper
Brian,
worth turning on tacacs accounting for further information on the Cisco
ACS server.
system tacplus-server
10.10.10.10 {
port 49;
secret "dztocmve4096xdgl"; ## SECRET-DATA
timeout 3;
source-address 10.2.2.2;
}
system accounting
events [ login change-log interactive-commands ];
destination {
tacplus {
server {
10.10.10.10 {
port 49;
secret "dztocmve4096xdgl"; ## SECRET-DATA
timeout 3;
single-connection;
source-address 10.2.2.2;
}
}
}
}
This accounting information might not show in the accounting report but
in the administration report as login / logout detail.
In addition it might be work checking the authentication against the
Cisco ACS first before adding the additional step for Securid.
Regards
Matt
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net]On Behalf Of Brian McGehee
Sent: 14 October 2005 23:55
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] SecurID- Cisco ACS - Tacacs+ - Juniper
Hi, looking for some help/guidance. Trying to get Juniper M5 w/ JUNOS
6.4r2.4 to authenticate using my Cisco ACS server and SecurID. When
attempting to login, Securid logs shows passcode accepted. Cisco ACS
shows passed authentication, but Juniper log shows:
Oct 15 08:18:13 lab-JuniperM5-rt1 login:
LOGIN_PAM_AUTHENTICATION_ERROR: PAM authentication error for user
qatest1
Oct 15 08:18:13 lab-JuniperM5-rt1 login: LOGIN_FAILED: Login failed for
user qatest1 from host 10.255.136.110
Here is junos config:
tacplus-server {
10.255.132.87 {
secret "$9$j5H.5u0IEhr/C0IESMW"; ## SECRET-DATA
source-address 10.255.1.99;
}
}
login {
class tacacs {
permissions all;
}
user remote {
full-name "All tacacs users;";
uid 9999;
class tacacs;
}
}
I have seen in the docs that you do not need to configure the JUNOS
attributes to run w/ tacacs+ (so I don't want to... unless I have to.)
I'm really not sure where in Cisco ACS to include these if they are
required.
Your assistance is appreciated.
Sincerely,
Brian McGehee
Opsware, Inc.
425.636.2148 x294
"Men never do evil so completely and cheerfully as when they do it from
a religious conviction" - Blaise Pascal
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list