Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
0
Helpful
1
Replies

ACS 5.8: How to create shared shell profile for JUNOS and IOS

Go to solution
Nadav
Level 7
Level 7

‎10-28-2015 01:37 PM - edited ‎03-10-2019 11:11 PM

Hi everyone,

I've migrated ACS from 4.2 to 5.8.

For Cisco IOS devices I've had to add the default privilege attribute in order to authenticate via TACACS. For JUNOS I've had to use the custom local-user-name attribute to do so (the local-user-name had a list of allowed commands within the JUNOS configuration).  These two worked fine together in ACS 4.2 where each user group had service shell (exec) and service junos-exec. 

However, under ACS 5.8 I can't mix these two attributes, and service junos-exec is nowhere to be seen. I'm unsure if I need service junos-exec, but I didn't have to give command sets different treatments for Cisco and Juniper devices in ACS 4.2. I get the feeling that something is missing from ACS 5.8 in this regard.

The solution I've tried out so far is migrating from 4.2 to 5.8, adding device types for cisco and juniper in 5.8, exporting the network devices from 5.8, importing them back with the correct device types after manually updating the devices file. After this I can create an authorization policy which picks the shell profile according to device type. This works fine, but it doubles the amount of authorization policies.

Could this have been done differently so that I can send the attributes for both junos and cisco without causing authentication failures, or any other solution which involves less dirty work?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎10-28-2015 05:07 PM

Hod,

ACS-5 working is not at all like old ACS.  It needs different profile for each vendor because IOS Privilege Level attributes requirement is marked as Mandatory.

see image:

Attribute type Mandatory mean that NAS has to process it and incase NAS does not understand that value it is bound to fail the attempt.

Attribute type Optional: Means NAS is not forced to process the request.

So if we have Shell profile contain both Juno and IOS attributes ( With IOS  requirement set to mandatory and Juno requirement set to Optional) the impact will be following,

1) IOS device will work fine since it understand priv=15 and will ignore Juno attributes (since it is set to optional)

2) Juno device will fail the attempts since IOS attribute is set to Mandatory.

So that is why we need to setup different profiles for different vendors. Setting up profiles is a one time job since this is sometime we don’t alter very day.

 

Regards,

~JG

Do rate helpful post.

View solution in original post

Preview file
33 KB
0 Helpful
1 Reply 1

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎10-28-2015 05:07 PM

Hod,

ACS-5 working is not at all like old ACS.  It needs different profile for each vendor because IOS Privilege Level attributes requirement is marked as Mandatory.

see image:

Attribute type Mandatory mean that NAS has to process it and incase NAS does not understand that value it is bound to fail the attempt.

Attribute type Optional: Means NAS is not forced to process the request.

So if we have Shell profile contain both Juno and IOS attributes ( With IOS  requirement set to mandatory and Juno requirement set to Optional) the impact will be following,

1) IOS device will work fine since it understand priv=15 and will ignore Juno attributes (since it is set to optional)

2) Juno device will fail the attempts since IOS attribute is set to Mandatory.

So that is why we need to setup different profiles for different vendors. Setting up profiles is a one time job since this is sometime we don’t alter very day.

 

Regards,

~JG

Do rate helpful post.

Preview file
33 KB
0 Helpful
Customers Also Viewed These Support Documents