Solved: ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+ Authentication

rodmunch999 · ‎08-10-2011

Hi,

I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:

ervice = netscreen {
vsys = root
privilege = read-write
}

I know how to add this to a version v4.x ACS

However, I do not know how to apply this to the custom attribiutes to a v5.x ACS

Do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

Any advice please

justins · ‎08-11-2011

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

View solution in original post

justins · ‎08-10-2011

Good question, I'd like to know this as well for the netscreens. For junos, this is how I tried to do it (you would drop the "netscreen" from yours, but not sure if you would add both as mandatory)

Acs4.x setup

junos-exec

local-user-name=readonly

acs5.2 setup

attribute - local-user-name

value - readonly

mandatory

# junos config

}

login {

class admin {

idle-timeout 30;

permissions all;

}

class read-only {

idle-timeout 30;

permissions [ view view-configuration ];

}

user admin {

class admin;

}

user readonly {

class read-only;

The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with).

justins · ‎08-11-2011

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

rodmunch999 · ‎08-15-2011

Bingo! Thank you very much Justin - I still had the privilege levels set to 15 but when I removed them but kept in the new attributes it logged in fine.

umaerkhan · ‎12-07-2017

this worked for me on authorization profile- SHELL.

rommel-peraza · ‎02-09-2012

Hi, I was looking for some help on configuring a Juniper FW on my Cisco ACS v4.0 and I found you guys. Can you tell me which would be the best way to do that or where can I find good documentaction about it?

Thanks.

cburgers · ‎09-04-2013

Has anyone managed to find out why the cisco devices fail authorization when the mandatory custom attribute is enabled?

Justin said

"The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with)."

I am currently having the same issue with ACS5.4.

Thanks,

Craig

justins · ‎09-05-2013

I was able to make it work using different device groups and shell profiles instead of trying to combine mulitiple together.

Is your issue with IOS devices or NXOS devices (role-based auth)

Justin

cburgers · ‎09-05-2013

Thanks Justin,

I was hoping to use just one shell profile for both device groups. We have it working with seperate profiles, but would be less overhead with one!

I havn't tried NXOS yet, but I imagine it will be a similar story.

Craig