cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9285
Views
45
Helpful
19
Replies

ACS 5.2 with SRX TACACS+ authorization

Joseph Chen
Level 1
Level 1

I am trying to get the TACACS+ work on SRX 11.4R7.5. However during my packet capture on SRX. I found the SRX sent authorzation request with service=junos-exec but ACS returns no value. that cause the SRX to use the "remote" as local-user-name and take the class setting for it.

On ACS, I found the "Group Mapping" policy matched to "Default Rule" and Authorization" policy matched the "Default Rule" as well.

Please help to provide me some document link about how to configure the Group Mapping and Authorization policy properly.

4 Accepted Solutions

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

You need to push the attributes in the policy elements > custom attributes same as done here:

https://supportforums.cisco.com/message/3417297#3417297

After that go to access-policies > default device admin > customize >  it will open a customize page in which you choose the types of condition use in the policy.

something like AD1:External group and Nas ip address and used it to match the authorization rule.

External group: in case you would like to check if user on AD should belong to this group.

NAS ip address: from where the tacacs request coming

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Looking at your last reply it seems you're using internal database and you're trying to match the policy based on identity-group SRX-ADMIN:SRX-RO. Can you please edit the rule 1, you created for Juniper and attach the screen shot. Also what do you see in the tacacs authorization under monitoring and troubleshooting?

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

We dont need compund condition for this under rule based identity source unless you are doing something based on different databases.

Under default device admin > click on Identity > use simple identity policy > select internal > save.

Under default device admin > Go to authorization rule > create rule > select NDG only SRX  and select the shell policy you have created for Junos attribute under policy elements > save.

that's a simplest way to test.

try and let me know.

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

Hey thanks for sharing the config. I am working with someother community member who has correctly configured the authentication and it's till not working with tacacs credentials. SSH works fine with Tacacs. I will check again with him and may ping you if some other settings we need to check with you. Also, if this answered your question, please mark it resolved so that others can take benefit from this thread.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

19 Replies 19

Joseph Chen
Level 1
Level 1

Following are the SRX pcap screenshot. Due to SRX did not received the local-user-name attribute, it uses the default "remote" account and applied with the class associated to user "remote". I need help on how to build the correct access policy for device admin authorization when ACS receive the "service=junos-exec" SRX sent, and reply with "local-user-name" according to the group.

Jatin Katyal
Cisco Employee
Cisco Employee

You need to push the attributes in the policy elements > custom attributes same as done here:

https://supportforums.cisco.com/message/3417297#3417297

After that go to access-policies > default device admin > customize >  it will open a customize page in which you choose the types of condition use in the policy.

something like AD1:External group and Nas ip address and used it to match the authorization rule.

External group: in case you would like to check if user on AD should belong to this group.

NAS ip address: from where the tacacs request coming

Jatin Katyal
- Do rate helpful posts -

~Jatin

Looking at your last reply it seems you're using internal database and you're trying to match the policy based on identity-group SRX-ADMIN:SRX-RO. Can you please edit the rule 1, you created for Juniper and attach the screen shot. Also what do you see in the tacacs authorization under monitoring and troubleshooting?

Jatin Katyal
- Do rate helpful posts -

~Jatin

Joseph Chen
Level 1
Level 1

Here is the Rule-1 screenshot.

Jatin,

Thank you for your help. Now I know how to configure it now.

Looks like you're able to access it via RO and RW user. Could you try one more test, can you also access J-WEB using the tacacs username and password? If in case you are able to access it, do let me know what settings you have for J-WEB on the juniper device.

Jatin Katyal
- Do rate helpful posts -

~Jatin

We dont need compund condition for this under rule based identity source unless you are doing something based on different databases.

Under default device admin > click on Identity > use simple identity policy > select internal > save.

Under default device admin > Go to authorization rule > create rule > select NDG only SRX  and select the shell policy you have created for Junos attribute under policy elements > save.

that's a simplest way to test.

try and let me know.

Jatin Katyal


- Do rate helpful posts -

~Jatin

Yes, I can login J-Web with my TACACS+ account chenj (JUNOS-RW) and chenjro (JUNOS-RO). Per- Juniper support, in order for J-Web to work with TACACS, the authentication-order must be [ tacplus passwd ]. However, I was able to login J-Web today with either "authentication-order tacplus" (TAC+ ONLY with local fallback) or "authentication-order [ tacplus password ]" (Check TAC+ first then if fail, check local password.). I will try it again next day.

Again, thank you for your help today.

==========

authentication-order [ tacplus password ];

root-authentication {

    encrypted-password /* SECRET-DATA */; ## SECRET-DATA

}

name-server {

    4.2.2.2;

    8.8.8.8;

}

tacplus-server {

    {

        port 49;

        secret /* SECRET-DATA */; ## SECRET-DATA

        single-connection;

    }

}

login {

    class RO-CLASS {

        permissions [ view view-configuration ];

    }

    class RW-CLASS {

        permissions all;

    }

    user JUNOS-RO {

        uid 2000;

        class RO-CLASS;

    }

    user JUNOS-RW {

        uid 2001;

        class RW-CLASS;

    }

    user locadmin {

        uid 2011;

        class super-user;

        authentication {

            encrypted-password /* SECRET-DATA */; ## SECRET-DATA

        }

    }

Hey thanks for sharing the config. I am working with someother community member who has correctly configured the authentication and it's till not working with tacacs credentials. SSH works fine with Tacacs. I will check again with him and may ping you if some other settings we need to check with you. Also, if this answered your question, please mark it resolved so that others can take benefit from this thread.

Jatin Katyal
- Do rate helpful posts -

~Jatin

After I did my lab test again from scratch. I believed I understand the whole process now and I can point out all problems that other people having when enabling TACACS+ account with Cisco ACS 5.2 servers.

Case 1: If Your ACS was not configured to response the TACACS+ authorization request with configured "local-user-name", depend on your SRX configuration, you may or may not ssh to the SRX and you defineatly cannot access J-Web. Why?

Scenario 1a: you have a local user "remote" defined on your SRX AND you configured "authentication-order tacplus". In this case, when you login as TACACS+ account "tac-user1", it will first authenticate with ACS as "tac-user1" and ACS will response authentication pass if correct password is provided,if SRX did not recvieve the "local-user-name" value from the TACACS+ authorization request, it uses the default "remote" user  as "local-user-name" for authorization. In this case, you are able to access SSH and J-Web with TACACS+ account.

Scenario 1b: you  don't have a local user "remote" defined on your SRX AND you configured "authentication-order tacplus". In this case, when you login as TACACS+ account "tac-user1", it will first authenticate with ACS as "tac-user1" and ACS will response authentication pass if correct password is provided, if SRX did not recvieve the "local-user-name" value from the TACACS+ authorization request, it uses the default "remote" user  as "local-user-name" for authorization. (p.s.  you can know this by SRX command "show cli authorization". refer to screenshot.) Due to there was NO "remote" user defined on SRX, the authorization was not granted. In this case, you are NOT able to access neither SSH nor J-Web with either TACACS+ or local account.

Scenario 1c: you don't have a local user "remote" defined on your SRX AND you configured "authentication-order [ tacplus password ]". in thise case, you are NOT able to access neither SSH nor J-Web with TACACS+ account. However, you are able to access SSH and J-Web with local account since the password is on the 2nd authentication-order.


Scenario 1d:  you have a local user "remote" defined on your SRX AND you configured "authentication-order [ tacplus password ]". in thise case, both TACACS+ and local account are able to access SSH and J-Web.

Case 2: If Your ACS was configured to response the TACACS+ authorization request properly (returned with "local-remote-user" value). It doesn't match, however, with  the SRX configured local user(s). In this case, the TACACS+ account with unknown "local-user-name" will NOT be able to access neither SSH nor J-Web even with authentication pass shown on ACS log.

After the explanation of what I found in my lab test. Following is how I configured the ACS 5.2 to get "TACACS+ authorization" work. I had experence on ACS 4.x but never configured ACS 5.2 in the past. Thanks to Cisco Jatin Katyal. He told me how to configure the Device Admin authorization on ACS 5.2.


1. Depends on you ACS authentication user database, you can configure the rule to authenticate the user with proper user database source such as local user, external Active Directory user, and so on. If you got the "authentication passed", that means your authentication policy was configured properly. In my case, I just use ACS local user database.

2. Since you may have users defined with certain groups for providing the "Role-Base Access Control (RBAC)" already. we will use those "Identity Group" for future policy condition. In my case, I created two groups, RW-Admin and RO-Admin under "All Groups".


Associate each user with the Identity Group. In my case, I created chenjro for RO-Admin group, chenjrw for RW-Admin group and chenj for default All Groups. So I can provide different authorization response for each user.

3. You may want to apply this authorization to only your SRX device. You can create a "Device Type" call "SRX" under "All Device Type".  then associate your SRX devices (under "Network Device Groups" - "Network Devices and AAA Clients" with this SRX device type. After this is done, You are able to use this SRX device type as a condition when you configuring the authorization policy later to associate with selected Shell Profile.


4. This is the KEY. You need to defind the "Device Administration" - "Shell Profiles" under the "Policy Element" - "Authorizarion and Permission". Create your own Shell profile for each "local-user-name" group.  "Remember to delete the default "space" in the value when you enter your own "local-user-name", select "Mandatory" on Requirement, the click "Add" to add the attribute. If you did not click "Add ^" before you click "Submit", the attribute will NOT be there. I learned that from my own mistake. If you need to change the attribute, click "Edit V" then modify your value. You MUST click the "Replace ^" to update the attribute before you click "Submit". Once you have done this "Shell Profile" for each of you "local-user-name" group. then we will configure the "Authorization policy" next.

5. Depends on your Access Services policy, configure the "Authorization" under your designated Service Policy, in our case, it is the "Default Device Admin" Access Services policy. Create your own policy condition according to your "Identity Group" setting and "Device Type" setting.  Create one rule for each "Identity Group" and associate it with the selected "Shell Profile" that will return the proper "local-user-name" value via TACACS+ authorization request.

6. On you SRX configuration, it is very simple. You just need to define each "local-user-name" value as a user on SRX with the associate class. Following are the configuration. The "remote" user was added as a catch all for any user account that did not associate with any defined "local-user-name" with a RO-CLASS access permission. You may delete it if you want only TACACS+ users with designated groups have access to SRX.
====================
version 11.4R7.5;
system {
    authentication-order [ tacplus password ];
    tacplus-server {
        192.168.14.49 {
            port 49;
            secret "xxxxxxxx"; ## SECRET-DATA
            single-connection;
        }
    }
    login {
        class RO-CLASS {
            permissions [ view view-configuration ];
        }
        class RW-CLASS {
            permissions all;
        }
        user JUNOS-RO {
            uid 2000;
            class RO-CLASS;
        }
        user JUNOS-RW {
            uid 2001;
            class RW-CLASS;
        }
        user localadmin {
            uid 2011;
            class super-user;
            authentication {
                encrypted-password "XXXXXX"; ## SECRET-DATA
            }
        }
  user remote {
            uid 6001;
            class RO-CLASS;
        }
    }
============================
Summary
I recommend you configure SRX with "authentication-order tacplus". This forces all authentication via TACACS+. The local shared account won't work unless the TACACS+ server is not reachable. Per Juniper KB24437, http://kb.juniper.net/InfoCenter/index?page=content&id=KB24437, it suggested you to add "password" in the authentication-order which is a work around from Juniper since most of SRX admins don't manage the ACS. You should provide this document to your ACS admin and ask them to configure ACS properly.

This link provide you extra help on other hardware, http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bf5512.shtml,  

Joseph,

I really apreciate that you took time, consolidated everything in a single post. I would request you if you put the same information in a form of document that can be easy to find and use. If you look at the top right side, there is a drop down called New. Click on that and select docment.

Once again thanks a lot for your efforts. I bet, this is going to help many in future.

Jatin Katyal

- Do rate helpful posts -

~Jatin

I uploaded the text file I created and shared with anyone. This is my first time on this forum, Hopefully I did it right. Please check if you can see the document "How to configure ACS 5.2 for SRX TACACS+ Authentication and RBAC.rtf" file.

I don't see in AAA section. Did you click on "publish" the document?

Can you share the link?

Jatin Katyal
- Do rate helpful posts -

~Jatin