[j-nsp] Tacacs on Junos

Mohammad Khalil eng.mssk at gmail.com
Mon Sep 17 10:04:19 EDT 2012 

Hi Tom
Thanks for the reply
I was expecting that adding a user and password on the tacacs server and
adding server related parameters on the device will be enough such as on
Cisco ? why should I configure a user on the router itself ?!

BR,
Mohammad

On Sun, Sep 16, 2012 at 6:02 PM, Tom Storey <tom at snnap.net> wrote:

> FWIW here is my TACACs and related config. You need a little bit more
> than just the tacplus-server stanza itself, e.g. the "remote" user.
>
>
> system {
>     authentication-order [ tacplus password ];
>     tacplus-server {
>         172.25.150.26 {
>             secret "..."; ## SECRET-DATA
>             timeout 5;
>             source-address 172.25.150.1;
>         }
>     }
>     accounting {
>         events [ login change-log interactive-commands ];
>         destination {
>             tacplus;
>         }
>     }
>     login {
>         class rescue {
>             idle-timeout 30;
>             permissions all;
>         }
>         user remote {
>             full-name "Remote user template";
>             uid 2002;
>             class rescue;
>         }
>         user rescue {
>             full-name "Rescue account";
>             uid 2000;
>             class rescue;
>             authentication {
>                 encrypted-password "...."; ## SECRET-DATA
>             }
>         }
>     }
> }
>
> Something like the "rescue" user is probably also a good idea, if your
> TACACs server is ever unreachable you will want a "back door" to log
> in with.
>
> Tom
>
>
> On 16 September 2012 15:38, Tom Storey <tom at snnap.net> wrote:
> > When you set the password on the Juniper, did you by any chance
> > enclose the password text in "", e.g. "password" ?
> >
> > If you did, the "" is encoded as part of the password, rather than
> > suggesting "everything inside quotes is the password" like it does
> > with other things (like interface descriptions.)
> >
> > I hit that little doozy when I was configuring TACACs for the first
> > time, so thought I'd throw it out there.
> >
> > Tom
> >
> >
> > On 16 September 2012 14:49, Mohammad Khalil <eng.mssk at gmail.com> wrote:
> >> Hi all
> >> I have mx240 , i want to configure tacacs authentication
> >> set system authentication-order tacplus
> >> set system tacplus-server x.x.x.x port 49 single-connection secret
> juniper
> >> source-address y.y.y.y
> >>
> >> Of course the server is reachable from the device
> >> I see in the log messages
> >> Failed password for mkhalil from 109.107.128.104 port 43262 ssh2
> >>
> >> Is there anything missing ?
> >>
> >> BR,
> >> Mohammad
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list