[j-nsp] tacplus on EX3200
Sipes, Nathan
Nathan_Sipes at kindermorgan.com
Mon Aug 10 11:24:07 EDT 2009
Bill,
You should be able to Configure a couple of local user accounts. i.e.
class engineering {
idle-timeout 30;
login-alarms;
permissions all;
}
class operations {
idle-timeout 15;
login-alarms;
login-tip;
permissions [ access clear configure firewall flow-tap flow-tap-control flow-tap-operation interface network reset routing security snmp snmp-control system trace view view-configuration ];
}
class view {
idle-timeout 5;
login-alarms;
permissions view;
}
user engineer {
full-name "Remote Engineering Account";
uid 2000;
class engineering;
}
user noc {
full-name "Network Operations Remote Account";
uid 2001;
class operations;
}
user viewer {
full-name "Remote View only account";
uid 2002;
class view;
}
then on the TACACS/Radius Server specify the user local user account property under the user profile for the TACACS/Radius server to return...
i.e.
Juniper-Local-User-Name = "engineer"
Juniper-Local-User-Name = "noc"
Juniper-Local-User-Name = "viewer"
Nathan Sipes
Sr. Network Design Specialist
Tel: 303-914-4996
FAX: 303-763-3510
Kinder Morgan
370 Van Gordon St
Lakewood, CO
80228
Nathan_Sipes at kindermorgan.com
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 2:53 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200
So, I have it working now, but it doesn't seem that is a very elegant solution.
I added an account to 'system login user' that corresponds to an account in AD.
Seems that when the switch receives a login for a locally configured user, it then (based on my authentication-order) first checks to see it it's in tacacs. With the absence of a locally configured password, the switch then asks tacacs for a password.
I was hoping I didn't have to define a bum load of local accounts on each device. I was hoping the switch could just pass the user to tacacs along with the password.
<my_configs>
authentication-order [ tacplus password ];
tacplus-server {
ip.ip.ip.ip {
port 49;
secret <my secret>"; ## SECRET-DATA
timeout 5;
single-connection;
source-address ip.ip.ip.ip;
user joeuser {
uid 2003;
class super-user;
}
user janeuser {
uid 2004;
class super-user;
</my_configs>
I could probably simplify the tacacs-server stanza, but this is a start.
Thank you to everyone who offered assistance on this issue.
-b
-----Original Message-----
From: Nalkhande Tarique Abbas [mailto:ntarique at juniper.net]
Sent: Sunday, August 09, 2009 10:01 AM
To: Bill Blackford; Walaa Abdel razzak
Cc: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] tacplus on EX3200
Do you have a remote user configured? Pls try to add this ..
system {
login {
user remote {
full-name "All remote users";
uid 2001;
class super-user;
}
}
}
Thanks & Regards,
Tarique A. Nalkhande
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 8:29 PM
To: Walaa Abdel razzak
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] tacplus on EX3200
authentication-order [ tacplus password ];
-b
-----Original Message-----
From: Walaa Abdel razzak [mailto:walaaez at bmc.com.sa]
Sent: Sunday, August 09, 2009 7:51 AM
To: Bill Blackford; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] tacplus on EX3200
Hi
Did you check the authentication order on the router? Tacacs log on the
server?
BR,
Walaa Abdel Razzak
This email and any attached files are confidential and intended solely
for the use of the individual to whom they are addressed. If you
received this email in error or you are not the named addressee, you
should not disseminate, distribute or copy this e-mail. Please notify
the sender immediately by e-mail and delete this e-mail from your
system.If you are not the intended recipient you are notified that
disclosing, copying,distributing or taking any action in reliance on the
contents of this information is strictly prohibited.
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Bill Blackford
Sent: Sunday, August 09, 2009 5:23 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] tacplus on EX3200
I'm struggling with getting tacplus working on my EX's and was hoping
someone on the list has successfully done this.
tacplus-server {
###.###.###.### {
port 49;
secret "<my secret>"; ## SECRET-DATA
timeout 5;
single-connection;
}
}
I currently have local accounts with two profiles.
super-user and:
class NOC {
permissions [ view view-configuration ];
I would want to integrate these two profiles into tacacs as well, but
for now I'd like to just get it to authenticate.
Tacacs is doing passthough to AD and works fine with Cisco or extreme
devices.
What am I missing?
Thanks
-b
--
Bill Blackford
Senior Network Engineer
Technology Systems Group
Northwest Regional ESD
my /home away from home
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
__________ Information from ESET Smart Security, version of virus
signature database 4223 (20090708) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus
signature database 4223 (20090708) __________
The message was checked by ESET Smart Security.
http://www.eset.com
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list