This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1
You don't need to add Junos service in ACS 5.x this was only required in the days of acs 4.x
For the rest, it should be documented by Juniper. If you have the list of attributes that they require, then we can help.
Thanks for your reply .. I have gonna across all KB in Juniper but unable to find attributes that require for Juniper SRX 210 which need to configured in ACS 5.1 can you help me to find that attributes for the same...
No since I don't have any experience with that Juniper product.
Maybe someone else in this forum has ...
But it's still normally up to Juniper to mention this in their doc :-)
As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
Please rate if it helps. Kind regards
Thanks for your reply...We have to use ACS 5.1 users only for authentication in Juniper Srx 210...
So the attribute which you have mentioned above will fulfill the requirement or we need to add any more attribute for Juniper SRX 210 in Cisco ACS 5.1
this one works accessing juniper via ssh. bu how about if u want to manage it via https or web gui? for my setup its not working logging in to the Web GUI tacacs account doesnt work only the local account can login.
can you advice any addtional configuration needed?
I am posting some commands which may be of some interest for you.
Have a look at them and then decide your course of action.
#####TACACS config at Juniper SRX 210####
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server tac-serv-ip secret "key" /* secret key configured on the server*/
set system tacplus-server tac-serv-ip source-address "source-interface-ip-on-srx"
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus
set system login user remote full-name "Tacacs+ template for remote access"
set system login user remote class super-user
### Do create fall back user(s) locally on the srx for events when tacacs server isnt accesible###
Thanx and Regards
*Rate helpful posts*
I know this is an old post, but I've been struggling with this recently and now I've got it cracked. Heres how to set it up.