topic ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+ in Network Access Control

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+ Authentication

rodmunch999 — Mon, 11 Mar 2019 01:17:49 GMT

Hi,

I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:

ervice = netscreen {
vsys = root
privilege = read-write
}

I know how to add this to a version v4.x ACS

However, I do not know how to apply this to the custom attribiutes to a v5.x ACS

Do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

Any advice please

Re: ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TAC

justins — Thu, 11 Aug 2011 00:27:12 GMT

Good question, I'd like to know this as well for the netscreens. For junos, this is how I tried to do it (you would drop the "netscreen" from yours, but not sure if you would add both as mandatory)

Acs4.x setup

junos-exec

local-user-name=readonly

acs5.2 setup

attribute - local-user-name

value - readonly

mandatory

# junos config

}

class admin {

idle-timeout 30;

permissions all;

}

class read-only {

idle-timeout 30;

permissions [ view view-configuration ];

}

user admin {

class admin;

}

user readonly {

class read-only;

The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with).

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

justins — Thu, 11 Aug 2011 20:10:05 GMT

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

rodmunch999 — Tue, 16 Aug 2011 05:23:40 GMT

Bingo! Thank you very much Justin - I still had the privilege levels set to 15 but when I removed them but kept in the new attributes it logged in fine.

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

rommel-peraza — Thu, 09 Feb 2012 13:15:18 GMT

Hi, I was looking for some help on configuring a Juniper FW on my Cisco ACS v4.0 and I found you guys. Can you tell me which would be the best way to do that or where can I find good documentaction about it?

Thanks.

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

cburgers — Thu, 05 Sep 2013 02:27:22 GMT

Has anyone managed to find out why the cisco devices fail authorization when the mandatory custom attribute is enabled?

Justin said

"The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with)."

I am currently having the same issue with ACS5.4.

Thanks,

Craig

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

justins — Fri, 06 Sep 2013 00:06:26 GMT

I was able to make it work using different device groups and shell profiles instead of trying to combine mulitiple together.

Is your issue with IOS devices or NXOS devices (role-based auth)

Justin

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

cburgers — Fri, 06 Sep 2013 04:07:19 GMT

Thanks Justin,

I was hoping to use just one shell profile for both device groups. We have it working with seperate profiles, but would be less overhead with one!

I havn't tried NXOS yet, but I imagine it will be a similar story.

Craig

Re: ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

umaerkhan — Thu, 07 Dec 2017 08:43:48 GMT

this worked for me on authorization profile- SHELL.