[j-nsp] Juniper authorization with tacacs+

Sukhjit Hayre sukhjit.hayre at googlemail.com
Tue Apr 14 17:23:59 EDT 2015 

appreciate the advice and you seem to have a nice setup.

I would still refer back to original post, specifically:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html

Cisco advise "The values of the allow-commands, allow-configuration,
deny-commands, and deny-configuration attributes can be entered in regex
format. The values that these attributes are set to are in addition to the
operational/configuration mode commands authorized by the user's login
class permissions bits."


So what their saying here is as well as the local class-permission bits in JUNOS then these attributes will compliment that policy and in my view giving the user the control in ACS to control user permissions..


Only a packet capture will show what's really going on, and whether or not Junos is bothered with the option if at all they're being sent via TACACS+ from ACS




> On 14 Apr 2015, at 21:17, Justin Seabrook-Rocha <xenith at xenith.org> wrote:
> 
> 
>> On Apr 14, 2015, at 12:55, Sukhjit Hayre <sukhjit.hayre at googlemail.com> wrote:
>> 
>> 
>> Hi Justin - thanks for the reply
>> 
>> im just a little stumped at why anyone would want to design this using ACS in which case, as most the configuration is local on Juniper boxes and not at all scalable.
>> 
>> I've replied to Eduardo from the thread who seems to have this working, unfortunately i could not replicate his results…
> 
> It’s most useful if you only need to map people into specific groups. I map every user into tier1, tier2, or tier3, each which a different set of permissions. I also have a service account group for things like RANCID. ACS manages authentication against Active Directory/LDAP and tells JunOS which group the user belongs to (local-username), then the user template manages permissions. And JunOS still uses TACACS+ for command accounting back to the ACS box. (Which we then dump into Splunk for log archiving.)
> 
> It works very well for us, and is completely scalable. You only have to configure a small number of user templates (4 in our case), and have some way to keep them in sync across devices.
> 
> The only additional feature I would wish for (aside from per-command authorization which is handled by the user templates) is the ability for TACACS+/ACS to be able to provide JunOS with the public ssh key of the user instead of needing to authenticate with a password.
> 
> Justin Seabrook-Rocha
> -- 
> Xenith || xenith at xenith.org || http://xenith.org/
> Jabber: xenith at xenith.org   || AIM:  JustinR98
> 
> 
>

More information about the juniper-nsp mailing list