[j-nsp] Juniper authorization with tacacs+

Sukhjit Hayre sukhjit.hayre at googlemail.com
Tue Apr 14 15:55:03 EDT 2015


Hi Justin - thanks for the reply

im just a little stumped at why anyone would want to design this using ACS
in which case, as most the configuration is local on Juniper boxes and not
at all scalable.

I've replied to Eduardo from the thread who seems to have this working,
unfortunately i could not replicate his results...

On Tue, Apr 14, 2015 at 5:44 PM, Justin Seabrook-Rocha <xenith at xenith.org>
wrote:

> On Apr 14, 2015, at 03:36, Sukhjit Hayre <sukhjit.hayre at googlemail.com>
> wrote:
>
>
> Hi Ivan
>
> Thanks for the additional information.
>
> But the fact remains we only use ACS for authentication and not
> authorisation, I want to be able to use ACS for authorisation control hence
> I need the additional attributes to work or at least understand why they
> don't when support is supposed to be in place.
>
>
>
> On 14 Apr 2015, at 11:26, Ivan Ivanov <ivanov.ivan at gmail.com> wrote:
>
> Hi Sukhjit,
>
> The idea with local templates is that you configure couple of them or more
> with different privileges. Then using the ACS you control which user which
> template to inherit. If you look in the link you will see that those local
> templates look like users but they do not have authentication attached. So
> he only way to be used is if they are pushed from authentication server.
>
> For example you configure two templates with different privileges and
> assign hundred users from ACS to one of them and other hundred to the
> other. That is why they are called templates.
>
> This is usually how is done on Junos to have users with different
> privileges authenticated via RADIUS or TACACS+ servers.
>
> I hope now is more clear to you!
> Ivan,
>
>
>
> --
> Best Regards!
>
> Ivan Ivanov
>
>
> Hi Sukhjit,
>
> JunOS does not support command authorization from TACACS+ or RADIUS, as
> far as I am aware. The method Ivan describes is the correct way to do
> authorization with JunOS. This is how we control authn/authz at my company
> (we also use ACS), and it works very well if you have some method of
> ensuring the user template configuration is correct across all your
> devices. (Some form of config auditing or automation, perhaps.)
>
> I realize that half the point of TACACS+ is per-command authz similar to
> how it works on Cisco IOS, but JunOS just doesn’t support that part of
> TACACS+. The only way to control authz via TACACS+/ACS is mapping users to
> local user templates.
>
> Justin Seabrook-Rocha
> --
> Xenith || xenith at xenith.org || http://xenith.org/
> Jabber: xenith at xenith.org   || AIM:  JustinR98
>
>
>
>


More information about the juniper-nsp mailing list