[j-nsp] console switch to access juniper devices

[Alexey Lanetskiy]

Experts,

now I can share with you the solution for the OpenGear CM4148 that could
help someone (at least it helped me).

First of all OpenGear console needs to be upgraded to the latest stable
firmware, now it's 3.5.2u11.
Then just apply following to both of your console and tacacs server
configuration.
All admin users will get full access to all management options and to all
ports.

tac_plus.conf:

group = some-group {
# default reverse-telnet-based access devices like consoles
        service = raccess {
                groupname = admin
# you may want to use groupname = users in the case you need to restrict
access to mgmt functions
        }
}
# you need to assign specific user(s) to the group described above

CMxxxx console CLI:

config -s config.auth.tacacs.acct_server=10.10.10.10,10.10.20.20
config -s config.auth.tacacs.auth_method=login
config -s config.auth.tacacs.auth_server=10.10.10.10,10.10.20.20
config -s config.auth.tacacs.password=YourTacacsServerKeyHere
config -s config.auth.type=TACACSDownLocal
config -s config.auth.useremotegroups=on

You may want to limit sessions time:

config -s config.auth.cli.sessionlifetime=20
config -s config.auth.pmshell.sessionlifetime=20
config -s config.auth.sessionlifetime=20

Issue this command in the end:

config -a

Thanks to OpenGear tech support!


On 2 April 2012 11:35, Alexey Lanetskiy <lanetskey at gmail.com> wrote:

> Experts,
>
> I'm sorry for the offtopic, but could you please tell how do you use
> TACACS+ auth on these shiny bright OpenGear consoles?
> I found tac+ setup pretty unusable there and have to use local auth.
>
> Working part of the config of tac_plus system will be highly appreciated.
>
> p.s. here goes what I've tried; it works, but up to the point of having
> 1-2 consoles:
>
> group = some-group {
> <...>
> # default reverse-telnet-based access devices like consoles
>         service = raccess {
>                 priv-lvl = 15
> # OpenGear CM4148
>                 port0101 = opengear-console01/port01
> <...and so on; OpenGear does lose tacacs connection when number of line
> such this goes over 100 or 200...>
>         }
> }
>
> Seems like there is a command to allow access to any port on any device,
> but I missed it.
>
>
> On 31 March 2012 21:31, Misha Gzirishvili <misha.gzirishvili at gmail.com>wrote:
>
>> Opengear is our console server of choice :-)
>> It Has all the features we want and is stable.
>>  On Mar 31, 2012 7:52 PM, "Sachin Rai" <sachinrai1983 at hotmail.com> wrote:
>>
>> >
>> > Thank you everyone for sharing your thoughts. They will really help me.
>> >
>> >
>> >
>> > > Date: Fri, 30 Mar 2012 21:33:25 -0400
>> > > From: james at freedomnet.co.nz
>> > > To: avf at eldamar.org.uk
>> > > CC: juniper-nsp at puck.nether.net
>> > > Subject: Re: [j-nsp] console switch to access juniper devices
>> > >
>> > > Digi work pretty well. No need for the dongle.
>> > >
>> > > On Fri, Mar 30, 2012 at 7:38 PM, Alexander Frolkin <
>> avf at eldamar.org.uk
>> > >wrote:
>> > >
>> > > > > We went with OpenGear, it is inexpensive and has all the features
>> we
>> > > > need.
>> > > >
>> > > > We also went with OpenGear.  Another advantage is that the company
>> is
>> > > > very responsive to queries and feature requests.  They implemented
>> > > > several features for us (in a matter of weeks --- with any other
>> > company
>> > > > this would probably have taken years) and they're now in the
>> production
>> > > > release.
>> > > >
>> > > > As far as I understand, they also allow you to put custom firmware
>> on
>> > > > their boxes without voiding the warranty (although we were pretty
>> happy
>> > > > with the OpenGear firmware).
>> > > >
>> > > >
>> > > > Alex
>>
>


-- 
wbr, Alexey Lanetskiy.
cell: +7 931 256 56 31
skype: lanetskey