topic Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with in Network Access Control

Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with 2 class user type.

Marlon Malinao — Mon, 11 Mar 2019 02:23:37 GMT

Hi All,

I have ACS 5.2 and JUNOS 10.6.x I setup 2 classes eng-class and ops-class with read/write and read-only permission

here is my configuration on JUNOS

set system login class eng-class idle-timeout 15

set system login class eng-class permissions all

set system login user engineer full-name “Regional-Engineering”

set system login user engineer uid 2001

set system login user engineer class eng-class

set system login user engineer authentication plain-text-password xxxxxxx

set system login class ops-class idle-timeout 15

set system login class ops-class permissions [ view view-configuration ]

set system login user operator full-name “Regional-Operations”

set system login user operator uid 2002

set system login user operator class ops-class

set system login user operator authentication plain-text-password xxxxxxx

set system authentication-order tacplus password

set system tacplus-options no-cmd-attribute-value

set system tacplus-server xxxx.xxx.xxx.xxx secret xxxxxxxx

set system tacplus-server xxx.xxx.xxx.xxx timeout 5

set system tacplus-server xxx.xxx.xxx.xxx source-address xxx.xxx.xxx.

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting destination tacplus server xxx.xxx.xxx.xxx secret xxxxxxx

set system accounting destination tacplus server xxxx.xxx.xxx.xxx timeout 5

ACS 5.2

shell profile

junos-eng

attribute=local-user-name

value=engineer

junos-ops

attribute=local-user-name

value=operator

I have 2 separate Authorization policies for engineer and operator group.

Result,

1. engineering group is working fine.

2. the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.

3. Web authentication is not also working for bot group.

Any advice?

rgds,

Marlon

thanks.

Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with 2 c

Marlon Malinao — Mon, 13 Aug 2012 03:05:44 GMT

Hi,

Hope anyone can help me about this problem.

Thanks.

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Marlon Malinao — Wed, 29 Aug 2012 15:46:55 GMT

Anybody?

Sent from Cisco Technical Support iPad App

Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with 2 c

Tarik Admani — Thu, 30 Aug 2012 06:17:30 GMT

Marlon,

On your shell profile can you delete all the attributes and try to re-enter them in, I have seen in the past that if there is a leading it will still be sent in the tacacs resposne but will not be present if you revisit the shell profile. Give that a shot and let me know if that helps.

thanks,

Tarik Admani
*Please rate helpful posts*

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Marlon Malinao — Fri, 31 Aug 2012 01:47:25 GMT

Hi Tarik Admani,

Thanks for the advice, i have tried this as well and it still not working.

Thanks,

Marlon

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Tarik Admani — Fri, 31 Aug 2012 02:53:45 GMT

Marlon,

I tried to find some information on configuring tacacs for junos 10.6 but didnt find anything. Do you have a link to the documentation.

Did you create a local role engineer, and operator locally?

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Marlon Malinao — Sat, 01 Sep 2012 05:58:10 GMT

Hi,

Yes it is local account.

Sent from Cisco Technical Support iPad App

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Tarik Admani — Sat, 01 Sep 2012 06:18:36 GMT

Marlon,

Did you try sending back the class attribute itself instead of sending back the role attribute. I tried to look around for any tacacs examples from Juniper side and I do not see anything that appears with an attribute named "value" I do see a few references for the class attribute.

Here looks to be a set of attributes you can use in the junos 10.0 guide for remote authentication:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-system-basics/authentication-user-remote-template-account-configuring.html

Can you make the changes and see if this works:

junos-eng

attribute=local-user-name

class=eng-class

junos-ops

attribute=local-user-name

class=ops-class

ALSO...can you see if you can map them straight into the permissions on the ACS side:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-system-basics/access-privileges-levels-overview.html#id-permbit

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Marlon Malinao — Mon, 03 Sep 2012 02:50:02 GMT

Thanks,

I would like to try the " remote template" and do the restriction in the acs. Do you know how will i able to do it for allow commands and deny commands?

Sent from Cisco Technical Support iPad App

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Tarik Admani — Mon, 03 Sep 2012 07:26:16 GMT

Based on reading the article it looks like you will have to set the permissions as the attribute and the list of commands as the value...Try the following "permissions=access" and see if the following holds true...

access

Can view the access configuration in configuration mode using the show configuration operational mode command.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Marlon Malinao — Tue, 04 Sep 2012 15:13:04 GMT

Thanks Tarik Admani,

Here is what i did.

-----using one template for all----

set system login class super-user-local idle-timeout 15

set system login class lsuper-user-local permissions all

set system login user remote full-name “Remote Users”

set system login user remote class super-user-local

in ACS

shell profile for enginineering

junos-admin

attribute=local-user-name

mandatory

value=remote

shell profile for ops

junos-ops

attribute=local-user-name

mandatory

value=remote

attribute=deny-commands

mandatory

value=configure , list down alos other commands such as set. on a separate attribute. i.e.

attribute=deny-commands

mandatory

value=set

attribute=allow-commands

mandatory

valute=ping, etc.....

then on my Access policy i have different auhtorization for each group of users which matches on my AD groups.

Thanks Tarik!!

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Marlon Malinao — Wed, 05 Sep 2012 01:25:27 GMT

Hi,

One thing though is that my web gui login the tacacs doesnt work. only local accounts able to login on my web gui.

any advice.

thanks

marlon

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Tarik Admani — Wed, 05 Sep 2012 04:07:23 GMT

Do you see the authentication being sent to acs?

Sent from Cisco Technical Support iPad App

Re: Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with

Marlon Malinao — Wed, 05 Sep 2012 12:38:19 GMT

Actually that is a good question, no i dont see anything.

marlon

Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with 2 c

Tarik Admani — Wed, 05 Sep 2012 15:25:30 GMT

HI,

Will this document provide any assistance:

https://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/security/software-all/initial-config/index.html?topic-55468.html

Thanks,

Tarik Admani
*Please rate helpful posts*