[j-nsp] Juniper authorization with tacacs+

Justin Seabrook-Rocha xenith at xenith.org
Tue Apr 14 16:17:39 EDT 2015

> On Apr 14, 2015, at 12:55, Sukhjit Hayre <sukhjit.hayre at googlemail.com> wrote:
> Hi Justin - thanks for the reply
> im just a little stumped at why anyone would want to design this using ACS in which case, as most the configuration is local on Juniper boxes and not at all scalable.
> I've replied to Eduardo from the thread who seems to have this working, unfortunately i could not replicate his results…

It’s most useful if you only need to map people into specific groups. I map every user into tier1, tier2, or tier3, each which a different set of permissions. I also have a service account group for things like RANCID. ACS manages authentication against Active Directory/LDAP and tells JunOS which group the user belongs to (local-username), then the user template manages permissions. And JunOS still uses TACACS+ for command accounting back to the ACS box. (Which we then dump into Splunk for log archiving.)

It works very well for us, and is completely scalable. You only have to configure a small number of user templates (4 in our case), and have some way to keep them in sync across devices.

The only additional feature I would wish for (aside from per-command authorization which is handled by the user templates) is the ability for TACACS+/ACS to be able to provide JunOS with the public ssh key of the user instead of needing to authenticate with a password.

Justin Seabrook-Rocha
Xenith || xenith at xenith.org || http://xenith.org/
Jabber: xenith at xenith.org   || AIM:  JustinR98

More information about the juniper-nsp mailing list