[j-nsp] TACACS in Junos
Skeeve Stevens
skeeve+junipernsp at eintellegonetworks.com
Thu Mar 20 20:13:20 EDT 2014
All, especially Tom... you ROCK!
Thanks all.
...Skeeve
*Skeeve Stevens - *eintellego Networks Pty Ltd
skeeve at eintellegonetworks.com ; www.eintellegonetworks.com
Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau>
linkedin.com/in/skeeve
twitter.com/theispguy ; blog: www.theispguy.com
The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
On Fri, Mar 21, 2014 at 9:34 AM, Tom Storey <tom at snnap.net> wrote:
> For everyones reference, this is the config I have been using, and
> seems to work as you'd expect on a Cisco. Using this config I have run
> Junipers against the same TACACS server used by Cisco devices without
> any issues.
>
> system {
> authentication-order [ tacplus password ];
> root-authentication {
> encrypted-password "xxxxxxxx"; ## SECRET-DATA
> }
> tacplus-server {
> 172.25.150.26 {
> secret "xxxxxxxx"; ## SECRET-DATA
> timeout 5;
> source-address 172.25.150.26;
> }
> }
> accounting {
> events [ login change-log interactive-commands ];
> destination {
> tacplus;
> }
> }
> login {
> class rescue {
> idle-timeout 30;
> permissions all;
> }
> user remote {
> full-name "Remote user template";
> uid 2002;
> class rescue;
> }
> user rescue {
> full-name "Rescue account";
> uid 2000;
> class rescue;
> authentication {
> encrypted-password "xxxxxxxx"; ## SECRET-DATA
> }
> }
> }
> }
>
> The key is in the "remote" user, which is basically a template from
> which various properties get assigned to each user that logs in. It
> needs to exist and needs to be called "remote", but commands executed
> by users are recorded against their own username, as expected.
>
> The "rescue" account is what you use to log in if TACACS becomes
> unavailable for some reason (e.g. network outage) but can be called
> anything you want, same goes for the "rescue" class.
>
> On 20 March 2014 22:16, Skeeve Stevens
> <skeeve+junipernsp at eintellegonetworks.com> wrote:
> > Hey all,
> >
> > We've been implementing Tacacs on our networks and have this issue where
> we
> > can't seem to get Tacacs working unless we declare the username and
> Tacacs
> > is used just for the authentication.
> >
> > Does anyone know how to get Tacacs working like Cisco where you just set
> it
> > up and once you add users to the Tacacs back-end, they can login?
> >
> > ...Skeeve
> >
> > *Skeeve Stevens - *eintellego Networks Pty Ltd
> > skeeve at eintellegonetworks.com ; www.eintellegonetworks.com
> >
> > Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> >
> > facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau>
> > linkedin.com/in/skeeve
> >
> > twitter.com/theispguy ; blog: www.theispguy.com
> >
> >
> > The Experts Who The Experts Call
> > Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list