[j-nsp] tacplus on EX3200

Masood Ahmad Shah masoodshah at juniper.net
Sun Aug 9 14:52:24 EDT 2009


JUNOS gives you very flexible AAA services. I would suggest you should not
use remote user template on live production Box. Configuring a single remote
user template account requires that all users (once again keep in mind ALL
users) without individual configuration entries share the same class and
UID. 

When you are using TACACS and telnet or TACACS and SSH together, you can
specify a different template user other than the remote user. I would
suggest you better configure an alternate template users, specify the
user-name parameter (Custom Attributes 'local-user-name=<insert username
here>')returned in the TACACS authentication response packet. You'll need to
configure a template account on the Juniper device which matches the
username you specify as the local-user-name in your TACACS+ server. This
template account should be bound to the class you want to assign these
users. 

Find below a template for JUNOS and Tacacs server. 
Here is JUNOS: "Read the commentes in braces"

system {
	authentication-order [ tacplus password ]; (plz authenticate me
using tacplus server first)
	tacplus-server {
    		x.x.x.y { (Your Tacacs server address)
        	secret "blahblahblah"; ## SECRET-DATA (tacacs secret key, it
should be same the one you have configured on server)
        	timeout 5;
        	source-address x.x.y.x; (your tacacs server must be
reachable using this source address, nd you should have an entry in tacacs
server for 		this particular source)
    		}
    		
	}

Here is TACACS: 
If you don't wana use remote user. Alternatively, you could just put the
following in your TACACS+ Configuration file on the TACACS Server, and bind
user with this particular server. You can use local-user-name attribute for
a specific user as well.

service = junos-exec { 
local-user-name = <username-local-to-router> 
allow-commands = "<allow-commands-regexp>" 
allow-configuration = "<allow-configuration-regexp>" 
deny-commands = "<deny-commands-regexp>" 
deny-configuration = "<deny-configuration-regexp>" 
}

Regards,
Masood
Blog: http://weblogs.com.pk/jahil/


-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Nalkhande Tarique
Abbas
Sent: Sunday, August 09, 2009 6:01 PM
To: Bill Blackford; Walaa Abdel razzak
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200


Do you have a remote user configured? Pls try to add this ..

system {
    login {
        user remote {
            full-name "All remote users";
            uid 2001;
            class super-user;
        }
    }
}


 
Thanks & Regards,
Tarique A. Nalkhande

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 8:29 PM
To: Walaa Abdel razzak
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200

authentication-order [ tacplus password ];

-b

-----Original Message-----
From: Walaa Abdel razzak [mailto:walaaez at bmc.com.sa] 
Sent: Sunday, August 09, 2009 7:51 AM
To: Bill Blackford; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] tacplus on EX3200

Hi 

Did you check the authentication order on the router? Tacacs log on the
server?


BR,
Walaa Abdel Razzak

This email and any attached files are confidential and intended solely
for the use of the individual to whom they are addressed. If you
received this email in error or you are not the named addressee, you
should not disseminate, distribute or copy this e-mail. Please notify
the sender immediately by e-mail and delete this e-mail from your
system.If you are not the intended recipient you are notified that
disclosing, copying,distributing or taking any action in reliance on the
contents of this information is strictly prohibited.

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 5:23 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] tacplus on EX3200

I'm struggling with getting tacplus working on my EX's and was hoping
someone on the list has successfully done this.

tacplus-server {
        ###.###.###.### {
            port 49;
            secret "<my secret>"; ## SECRET-DATA
            timeout 5;
            single-connection;
        }
    }



I currently have local accounts with two profiles.
super-user and:
class NOC {
            permissions [ view view-configuration ];

I would want to integrate these two profiles into tacacs as well, but
for now I'd like to just get it to authenticate.

Tacacs is doing passthough to AD and works fine with Cisco or extreme
devices.
What am I missing?

Thanks

-b

--
Bill Blackford                     
Senior Network Engineer            
Technology Systems Group           
Northwest Regional ESD             

my /home away from home
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
 

__________ Information from ESET Smart Security, version of virus
signature database 4223 (20090708) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 
 

__________ Information from ESET Smart Security, version of virus
signature database 4223 (20090708) __________

The message was checked by ESET Smart Security.

http://www.eset.com
 
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list