Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8976
Views
45
Helpful
19
Replies

ACS 5.2 with SRX TACACS+ authorization

Go to solution
Joseph Chen
Level 1
Level 1

‎05-31-2013 12:47 PM - edited ‎03-10-2019 08:29 PM

I am trying to get the TACACS+ work on SRX 11.4R7.5. However during my packet capture on SRX. I found the SRX sent authorzation request with service=junos-exec but ACS returns no value. that cause the SRX to use the "remote" as local-user-name and take the class setting for it.

On ACS, I found the "Group Mapping" policy matched to "Default Rule" and Authorization" policy matched the "Default Rule" as well.

Please help to provide me some document link about how to configure the Group Mapping and Authorization policy properly.

4 people had this problem
Labels:
0 Helpful
19 Replies 19

Go to solution
Simon Young
Level 1
Level 1
In response to Joseph Chen

‎06-01-2013 01:48 PM

Hi Joseph

Great guide, I am the other person that Jatin is helping. Unfortunately I still can not get jweb to work unless its via my root

My shell is local-user-name mandatory JWEBADMIN

I log in as my Tacas jweb user, via ssh and I get the correct class

jweb@Juniper-Firewall

> show cli authorization

Current user: 'JWEBADMIN' login: 'jweb' class 'RW-CLASS'

I try and connect via https (jweb) and it fails.

Jun  2 08:02:49  Juniper-Firewall checklogin[7419]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username jweb)

I can only assume this is some kind of junos OS issue (I have been working with junos for a couple of weeks only)

Here is my SRX configuration.

version 9.6R1.13;

system {

    host-name Juniper-Firewall;

    authentication-order [ tacplus password ];

    root-authentication {

        encrypted-password "$1$1tRuy9o2$LwSPxNwe4XGNMOMIMo1pd1"; ## SECRET-DATA

    }

    tacplus-server {

        10.251.200.25 {

            secret "$9$zaUL6/AtuOIRS5QF/CuEhws2"; ## SECRET-DATA

            timeout 10;

            single-connection;

        }

    }

    accounting {

        events [ login change-log interactive-commands ];

        destination {

            tacplus;

        }

    }

    login {

        class RO-CLASS {

            permissions [ view view-configuration ];

        }

        class RW-CLASS {

            permissions all;

        }

        user JWEBADMIN {

            uid 2028;

            class RW-CLASS;

        }

        user remote {

            full-name "Remote User";

            uid 2025;

            class operator;

        }

        user remoteadmin {

            full-name "Remote Admin";

            uid 2026;

            class super-user;

        }

    }

0 Helpful

Go to solution
Joseph Chen
Level 1
Level 1
In response to Simon Young

‎06-02-2013 07:57 PM

Simon,

Your configuration looks fine and your show cli authorization showing the correct "local-user-name" replied from ACS. So the only thing I can think of could be a software bug, since you are running old 9.6R1.13. I will suggest you try to upgrade to 11.4 if possible (My lab was running on current 11.4R7.5)

0 Helpful

Go to solution
sukhjit.hayre
Level 1
Level 1
In response to Joseph Chen

‎04-12-2015 05:13 PM

having been through multiple threads i.e
 
 
I cannot find a way for Cisco ACS and SRX cluster to allow an account to have certain privileges
 
Cisco advise they support the following Juniper attributes for TACACS+:
 
allow-commands
Optional 
"(request system) | (show rip neighbor)"
allow-configuration
Optional 
local-user-name
Optional 
sales
deny-commands
Optional 
"<^clear"
deny-configuration
Optional 
 
 
Now I can get the local-user-name attribute assigned and agreed between ACS 5.6 and Junos as I can log-in ok
 
But I'm trying to restrict an account to only certain commands and would rather do this on ACS 5.6 vs the local device login profile
 
here is the config on the device:
 
login {
    user junosadmin {
        uid 100;
        class super-user;
    }                                   
    user junosro {
        uid 101;
        class unauthorized;
 
so I want junosro to be permitted to be able to run "show" commands
 
I've tried creating a custom class locally with increased rights but need to be able to control this on ACS
 
I've tried on ACS adding these into policy elements>authorizations & permissions>device administration>shell profiles>account>custom attributes but only the "local-user-name" attribute seems to work for authentication purposes
 
Cisco advise "The values of the allow-commands, allow-configuration, deny-commands, and deny-configuration attributes can be entered in regex format. The values that these attributes are set to are in addition to the operational/configuration mode commands authorized by the user's login class permissions bits."
 
have you attempted customer authorization attributes?
 
thanks in advance
0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-02-2013 09:36 PM

That could only be a problem. I think the response sent by acs is not getting applied correctly. Last time Simon captured the traffic btw acs and juniper shows no tacacs response. Since then we have made some changes and I think its worth looking at the packet capture again if you still wish to troubleshoot.

Upgrade would be a solution for sure.

Jatin
Do rate helpful posts


Sent from Cisco Technical Support Android App

~Jatin
0 Helpful

Go to solution
Simon Young
Level 1
Level 1
In response to Jatin Katyal

‎06-03-2013 05:20 AM

I upgraded the junos and it works

Your guide is very useful and I will be retaining a copy

Thanks

Simon

0 Helpful
Customers Also Viewed These Support Documents