[j-nsp] Re: Implementation of TACACS+

Kanagaraj Krishna kanagaraj at aims.com.my
Wed Jan 11 08:41:52 EST 2006 

Hi,
   Thanks for the prompt reply. Are there any way of implementing tacacs based 
authentication for telnet sessions only (minus console, leaving it to system 
password authentication)? That would be similar to cisco, where there's an 
option of vty, tty and console. Thanks.

Regards,
Kana

> set system authentication-order [ tacplus password ]
> 
> that should try each method in turn.
> 
> apply your remote user, this is needed to auth with the pam_tacacs module
> thats used.
> 
>     user remote {
>         uid 2004;
>         class operator;
>     }
> 
> 
> 
> then create some users with diff priv's.
> 
>     user tier3 {
>         uid 2003;
>         class tier3;
>     }
>  tier1 and tier2 are not shown here.
> 
> create a class for the user.
> 
> class tier3 {
>         idle-timeout 90;
>         permissions all;
> }
> 
> 
> then  in your tac_plus.conf file or whatever version of tacacs your using:
> 
> group = tier3
> {
>   ## cli service for junipers
>   service = junos-exec
>   {
>     local-user-name = tier3
>     allow-commands = "all"
>     allow-configuration = ""
>     deny-commands = ""
>     deny-configuration = ""
>   }
> }
> 
> 
> 
> user = andy
> {
>   member = tier3
> }
> 
> 
> tier 1 should be very restrictive:
> 
> 
> group = tier1
> {
>   ## cli service for junipers
>   service = junos-exec
>   {
>     local-user-name = tier1
>     allow-commands = "view view-configuration"
>     allow-configuration = ""
>     deny-commands = "all"
>     deny-configuration = ""
>   }
> }
> 
> 
> user = look
> {
>   member = tier1
> }
> 
> name your tiers whatever, this is just examples, I dont have a full list of
> the commands you can allow or deny but that 
> would be handy.
> 
> hope this helps.
> 
> On Wed, Jan 11, 2006 at 05:51:28PM +0800, Kanagaraj Krishna wrote:
> > I've been implementing TACACS+ based authentication on Cisco routers. This
> is the first setting it up on a Juniper m7i. I have a few questions:
> > 
> > - How do we implement TACAS+ authentication only for telnet access only OR
> console access only?
> > - In Cisco the sequence for authentication can be specified using aaa
> command (tacacs, local login, enable.... etc). How is it done on a Juniper?
> > - What happens if a specified tacacs is not reachable?
> > 
> > Regards,
> > Kanagaraj Krishna
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > 
> 
> -- 
> andy    andy at shady.org
> -----------------------------------------------
> Never argue with an idiot. They drag you down 
> to their level, then beat you with experience.
> ----------------------------------------------- 
>

More information about the juniper-nsp mailing list