[j-nsp] JUNIPER M120 IS NOT SYNC WITH CISCO ACS
Stefan Fouant
sfouant at gmail.com
Wed Oct 15 15:40:00 EDT 2008
On Wed, Oct 15, 2008 at 3:13 PM, shariq qamar <shariq.qam at gmail.com> wrote:
> Hi ,
>
> i trying to access my juniper router via Tacacs user id , but it is not
> happening .
> its is giving me error
> LOGIN_PAM_AUTHENTICATION_ERROR: PAM authentication .
> please sugest me the correct configuration way out
>
> I m using Model: m120
> with Junos : 9.2R2.15
>
>
>
> --
> Regards,
> Shariq Qamar,
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
Under the 'Interface Configuration' tab in your Cisco ACS, put a
checkbox next to User or Group depending on your configuration for
"New Services'. Type 'junos-exec' in the Service field.
Then in the User or Group, go to 'TACACS+ Settings > Shell Command
Authorization Set', select 'junos-exec' and 'Custom Attributes' and
type 'local-user-name=<insert username here>' in the Custom Attributes
check-box. You'll need to configure a remote template account on the
Juniper which matches the username you specify as the local-user-name
in your TACACS+ server. This template account should be bound to the
class you want to assign these users.
Alternatively, you could just put the following in your Secure ACS
TACACS+ Configuration file on the ACS Server:
service = junos-exec {
local-user-name = <username-local-to-router>
allow-commands = "<allow-commands-regexp>"
allow-configuration =
"<allow-configuration-regexp>"
deny-commands = "<deny-commands-regexp>"
deny-configuration = "<deny-configuration-regexp>"
}
Hope that helps,
--
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D
More information about the juniper-nsp
mailing list