[j-nsp] JUNOS - TACACS - Cisco ACS Allowed Commands
Ralph R. Rye
rrye at norgetek.com
Tue Mar 30 09:07:38 EDT 2010
Hello,
I have been trying to get a few Juniper EX4200 switches working with Cisco ACS through TACACS+ utilizing "allowed commands". I have followed the example doc on Cisco site here:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080af7d1d.shtml
Which didn't work at all until I added the "remote" user on the EX 4200, but then it would only allow access and the user would be mapped to the "remote" username which had "read-only" access.
I have tried different combinations of syntax on the Cisco ACS in terms of the "local-username" and "allowed-commands" with no success ( I also added the "set" keyword in front of the commands as some examples demonstrated). I believe I almost have it configured but I missing some simple thing. I searched the forum but all the past posts have made mention of things I have already tried.
Anyone have any suggestions?
Config on the EX4200 (JUNOS version 10.0S1.1):
system {
authentication-order [ tacplus password ];
tacplus-server {
1.2.3.4 {
secret "stuff; ## SECRET-DATA
timeout 5;
source-address 5.5.5.5.;
}
}
}
class LIMITED {
permissions all;
}
user LIMITED-USER {
uid 2002;
class LIMITED;
}
user remote {
uid 2001;
class read-only;
}
ACS Config (version 4.2):
Setup per the link above with the following attributes in the "custom attributes" box:
local-user-name = LIMITED-USER
allow-commands = "monitor | help | show | ping | traceroute"
Thanks,
Ralph
More information about the juniper-nsp
mailing list