[j-nsp] TACACS and Logical systems
joel jaeggli
joelja at bogus.com
Thu Mar 20 17:38:47 EDT 2014
On 3/20/14, 1:40 PM, Amos Rosenboim wrote:
> Hello Everybody,
>
> One of our customers is going to implement logical systems in his network (core and access on the same box, different logical systems).
> All user accounts are based on TACACS with AD integration.
this may be hearesy but the juniper's can be configured to authenticate
against the AD server directly via radius.
there are radius VSAs that can be employed for various levels of access
control
http://www.juniper.net/techpubs/software/junos/junos94/swconfig-system-basics/configuring-juniper-networks-vendor-specific-radius-attributes.html
http://dice.neko-san.net/2012/08/linking-junos-authentication-to-active-directory-using-radius/
> Our challenge is with the network operations folks, we would like to provide them limited access to the core (base) and full access on the access router.
> So far the only option we could think of was to have different source IP when accessing the core and access, and assign privileges in the TACACS based on the combination of user and source IP.
> I'm wondering if anyone has deployed something more elegant from this ?
>
> Regards
>
> Amos
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 308 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140320/b98d2c92/attachment-0001.sig>
More information about the juniper-nsp
mailing list