topic Re: ISE 2.3 - TACACS+ - Returning a different Username to Juniper Device in Network Access Control

ISE 2.3 - TACACS+ - Returning a different Username to Juniper Device

jake.pratt@rate.com — Tue, 05 Mar 2019 19:15:06 GMT

I am running ISE 2.3 as a tacacs+ server. I have it working well with my Cisco devices. It is integrated with AD as an external identity source. I am using a default authentication policy that checks against AD. I also have a couple different authorization policies: one that grants shell access with full access, and one that grants shell access with only access to "show" commands. Those work great on all my Cisco devices.

My problem is that I have a bunch of Juniper firewalls. They are configured so that user "remote" has operator level privilege, and the user "remote-su" has super-user privilege. When any users authentication with ISE, they are brought in as "remote" and are only given "operator" privilege. I am looking for a way to come back to the Juniper with the user name "remote" or "remote-su". Something like this:

Case 1:

User jsmith logs in

hits ISE > he is a network admin

return "remote-su" username to Juniper

he is given super-user privilege

Case 2:

User ajones logs in

hits ISE > he is a helpdesk tech

returns "remote" username to Juniper

he is given operator privilege

I've been doing lots of reading, and haven't come up with a way to accomplish this specific task. Does anyone know of a way to do this? If there is a better way to do it that doesn't involve passing the usernames remote/remote-su back to the Juniper, I'm all ears as well. It just seemed like one possible solution. I know I can go into each Juniper and specify permissions for jsmith and ajones, but that defeats the purpose of using ISE. I want everything to be configured in AD and ISE, as far as user accounts and permissions go.

Thanks in advance.

Re: ISE 2.3 - TACACS+ - Returning a different Username to Juniper Device

Damien Miller — Sat, 09 Mar 2019 12:56:32 GMT

The only way I have seen this was back in the ACS days with shadow accounts on Juniper. You configure local accounts mapped to the permissions you want, and then from ACS/ISE you send back the user. You leverage a custom attribute like local-user-name to accomplish this. Pretty sure that's what you are trying to avoid.

On juniper you would create a RO and super user accounts, set up for the roles you want. ISE authentication still takes place as it would, creating authorization rules based on the AD accounts. Then with the result you send back RO account with "local-user-name" if they match RO only access, and super if they match super. Worked good.

Juniper has their short list of attributes documented. Have you considered the allow-configuration and deny-configuration, would it accomplish what you need?
https://www.juniper.net/documentation/en_US/src4.7/topics/reference/general/tacas-radius-authentication-attributes.html

Re: ISE 2.3 - TACACS+ - Returning a different Username to Juniper Device

jake.pratt@rate.com — Mon, 11 Mar 2019 14:10:39 GMT

Thank you for your reply Damien! What you're describing is exactly what I'm trying to do. However, I'm not sure exactly how to pass the "local-user-name" back to Juniper. Any help on how to do that?