[j-nsp] TACACS in Junos

Tom Storey tom at snnap.net
Thu Mar 20 18:34:49 EDT 2014


For everyones reference, this is the config I have been using, and
seems to work as you'd expect on a Cisco. Using this config I have run
Junipers against the same TACACS server used by Cisco devices without
any issues.

system {
    authentication-order [ tacplus password ];
    root-authentication {
        encrypted-password "xxxxxxxx"; ## SECRET-DATA
    }
    tacplus-server {
        172.25.150.26 {
            secret "xxxxxxxx"; ## SECRET-DATA
            timeout 5;
            source-address 172.25.150.26;
        }
    }
    accounting {
        events [ login change-log interactive-commands ];
        destination {
            tacplus;
        }
    }
    login {
        class rescue {
            idle-timeout 30;
            permissions all;
        }
        user remote {
            full-name "Remote user template";
            uid 2002;
            class rescue;
        }
        user rescue {
            full-name "Rescue account";
            uid 2000;
            class rescue;
            authentication {
                encrypted-password "xxxxxxxx"; ## SECRET-DATA
            }
        }
    }
}

The key is in the "remote" user, which is basically a template from
which various properties get assigned to each user that logs in. It
needs to exist and needs to be called "remote", but commands executed
by users are recorded against their own username, as expected.

The "rescue" account is what you use to log in if TACACS becomes
unavailable for some reason (e.g. network outage) but can be called
anything you want, same goes for the "rescue" class.

On 20 March 2014 22:16, Skeeve Stevens
<skeeve+junipernsp at eintellegonetworks.com> wrote:
> Hey all,
>
> We've been implementing Tacacs on our networks and have this issue where we
> can't seem to get Tacacs working unless we declare the username and Tacacs
> is used just for the authentication.
>
> Does anyone know how to get Tacacs working like Cisco where you just set it
> up and once you add users to the Tacacs back-end, they can login?
>
> ...Skeeve
>
> *Skeeve Stevens - *eintellego Networks Pty Ltd
> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com
>
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
>
> facebook.com/eintellegonetworks ;  <http://twitter.com/networkceoau>
> linkedin.com/in/skeeve
>
> twitter.com/theispguy ; blog: www.theispguy.com
>
>
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list