[j-nsp] Juniper authorization with tacacs+

Justin Seabrook-Rocha xenith at xenith.org
Tue Apr 14 12:44:17 EDT 2015 

> On Apr 14, 2015, at 03:36, Sukhjit Hayre <sukhjit.hayre at googlemail.com> wrote:
> 
> 
> Hi Ivan
> 
> Thanks for the additional information.
> 
> But the fact remains we only use ACS for authentication and not authorisation, I want to be able to use ACS for authorisation control hence I need the additional attributes to work or at least understand why they don't when support is supposed to be in place.
> 
> 
> 
>> On 14 Apr 2015, at 11:26, Ivan Ivanov <ivanov.ivan at gmail.com> wrote:
>> 
>> Hi Sukhjit,
>> 
>> The idea with local templates is that you configure couple of them or more with different privileges. Then using the ACS you control which user which template to inherit. If you look in the link you will see that those local templates look like users but they do not have authentication attached. So he only way to be used is if they are pushed from authentication server.
>> 
>> For example you configure two templates with different privileges and assign hundred users from ACS to one of them and other hundred to the other. That is why they are called templates.
>> 
>> This is usually how is done on Junos to have users with different privileges authenticated via RADIUS or TACACS+ servers.
>> 
>> I hope now is more clear to you!
>> Ivan,
>> 
>> 
>> 
>> -- 
>> Best Regards!
>> 
>> Ivan Ivanov

Hi Sukhjit,

JunOS does not support command authorization from TACACS+ or RADIUS, as far as I am aware. The method Ivan describes is the correct way to do authorization with JunOS. This is how we control authn/authz at my company (we also use ACS), and it works very well if you have some method of ensuring the user template configuration is correct across all your devices. (Some form of config auditing or automation, perhaps.)

I realize that half the point of TACACS+ is per-command authz similar to how it works on Cisco IOS, but JunOS just doesn’t support that part of TACACS+. The only way to control authz via TACACS+/ACS is mapping users to local user templates.

Justin Seabrook-Rocha
-- 
Xenith || xenith at xenith.org || http://xenith.org/
Jabber: xenith at xenith.org   || AIM:  JustinR98

More information about the juniper-nsp mailing list