[j-nsp] tacplus on EX3200
Nalkhande Tarique Abbas
ntarique at juniper.net
Mon Aug 10 03:18:58 EDT 2009
Hey Bill,
Looks expected to me.
Pls have a look at the following sequence of log message for a login
failure in case if you don't have the user locally configured on the
switch.
*** /var/log/messages *** {truncated}
Jun 7 14:06:34 LAB-RTR login: LOGIN_INVALID_LOCAL_USER: No entry in
local password file for user joeuser
Jun 7 14:06:43 LAB-RTR login: PAM option:
conf=/var/etc/pam_tacplus.conf invalid
Jun 7 14:06:43 LAB-RTR login: PAM option: template_user=remote invalid
<<--
Jun 7 14:06:43 LAB-RTR login: LOGIN_PAM_NONLOCAL_USER: User joeuser
authenticated but has no local login ID
Jun 7 14:06:43 LAB-RTR login: LOGIN_FAILED: Login failed for user
joeuser from host 10.20.1.251
So either you configure all local accounts on each device OR make use of
available templates (remote or local).
You may find the below handy..
http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-system
-basics/html/sys-mgmt-authentication7.html
http://www.juniper.net/techpubs/software/junos/junos82/swconfig82-system
-basics/html/sys-mgmt-authentication3.html#1015967
And as it looks...
authentication-order [ tacplus password ]
.. that you are verifying the user's password against the local password
database when access to the TACACS server fails, in that case you
eventually need to configure users locally as well.
Hope it helps!
Thanks & Regards,
Tarique A. Nalkhande
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Monday, August 10, 2009 2:23 AM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200
So, I have it working now, but it doesn't seem that is a very elegant
solution.
I added an account to 'system login user' that corresponds to an account
in AD.
Seems that when the switch receives a login for a locally configured
user, it then (based on my authentication-order) first checks to see it
it's in tacacs. With the absence of a locally configured password, the
switch then asks tacacs for a password.
I was hoping I didn't have to define a bum load of local accounts on
each device. I was hoping the switch could just pass the user to tacacs
along with the password.
<my_configs>
authentication-order [ tacplus password ];
tacplus-server {
ip.ip.ip.ip {
port 49;
secret <my secret>"; ## SECRET-DATA
timeout 5;
single-connection;
source-address ip.ip.ip.ip;
user joeuser {
uid 2003;
class super-user;
}
user janeuser {
uid 2004;
class super-user;
</my_configs>
I could probably simplify the tacacs-server stanza, but this is a start.
Thank you to everyone who offered assistance on this issue.
-b
-----Original Message-----
From: Nalkhande Tarique Abbas [mailto:ntarique at juniper.net]
Sent: Sunday, August 09, 2009 10:01 AM
To: Bill Blackford; Walaa Abdel razzak
Cc: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] tacplus on EX3200
Do you have a remote user configured? Pls try to add this ..
system {
login {
user remote {
full-name "All remote users";
uid 2001;
class super-user;
}
}
}
Thanks & Regards,
Tarique A. Nalkhande
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 8:29 PM
To: Walaa Abdel razzak
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200
authentication-order [ tacplus password ];
-b
-----Original Message-----
From: Walaa Abdel razzak [mailto:walaaez at bmc.com.sa]
Sent: Sunday, August 09, 2009 7:51 AM
To: Bill Blackford; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] tacplus on EX3200
Hi
Did you check the authentication order on the router? Tacacs log on the
server?
BR,
Walaa Abdel Razzak
This email and any attached files are confidential and intended solely
for the use of the individual to whom they are addressed. If you
received this email in error or you are not the named addressee, you
should not disseminate, distribute or copy this e-mail. Please notify
the sender immediately by e-mail and delete this e-mail from your
system.If you are not the intended recipient you are notified that
disclosing, copying,distributing or taking any action in reliance on the
contents of this information is strictly prohibited.
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 5:23 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] tacplus on EX3200
I'm struggling with getting tacplus working on my EX's and was hoping
someone on the list has successfully done this.
tacplus-server {
###.###.###.### {
port 49;
secret "<my secret>"; ## SECRET-DATA
timeout 5;
single-connection;
}
}
I currently have local accounts with two profiles.
super-user and:
class NOC {
permissions [ view view-configuration ];
I would want to integrate these two profiles into tacacs as well, but
for now I'd like to just get it to authenticate.
Tacacs is doing passthough to AD and works fine with Cisco or extreme
devices.
What am I missing?
Thanks
-b
--
Bill Blackford
Senior Network Engineer
Technology Systems Group
Northwest Regional ESD
my /home away from home
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
__________ Information from ESET Smart Security, version of virus
signature database 4223 (20090708) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus
signature database 4223 (20090708) __________
The message was checked by ESET Smart Security.
http://www.eset.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list