I know this is an old post,

Pranav Gade · ‎03-14-2012

Hi all,

I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..

Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

Nicolas Darchis · ‎03-15-2012

You don't need to add Junos service in ACS 5.x this was only required in the days of acs 4.x

For the rest, it should be documented by Juniper. If you have the list of attributes that they require, then we can help.

Nico

Pranav Gade · ‎03-19-2012

Hi Nicolas,

Thanks for your reply .. I have gonna across all KB in Juniper but unable to find attributes that require for Juniper SRX 210 which need to configured in ACS 5.1 can you help me to find that attributes for the same...

Thanks,

Pranav

Nicolas Darchis · ‎03-19-2012

No since I don't have any experience with that Juniper product.

Maybe someone else in this forum has ...

But it's still normally up to Juniper to mention this in their doc :-)

Eduardo Aliaga · ‎03-19-2012

Hello Pranav

As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466

You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.

This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".

If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.

Please rate if it helps. Kind regards

Pranav Gade · ‎03-19-2012

Hello eduardoaliaga

Thanks for your reply...We have to use ACS 5.1 users only for authentication in Juniper Srx 210...

So the attribute which you have mentioned above will fulfill the requirement or we need to add any more attribute for Juniper SRX 210 in Cisco ACS 5.1

Pranav

Marlon Malinao · ‎09-20-2012

Hi,

this one works accessing juniper via ssh. bu how about if u want to manage it via https or web gui? for my setup its not working logging in to the Web GUI tacacs account doesnt work only the local account can login.

can you advice any addtional configuration needed?

marlon

Anim Saxena · ‎09-21-2012

Hi Pranav,

I am posting some commands which may be of some interest for you.

Have a look at them and then decide your course of action.

#####TACACS config at Juniper SRX 210####

set system authentication-order tacplus

set system authentication-order password

set system tacplus-server tac-serv-ip secret "key" /* secret key configured on the server*/

set system tacplus-server tac-serv-ip source-address "source-interface-ip-on-srx"

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting destination tacplus

set system login user remote full-name "Tacacs+ template for remote access"

set system login user remote class super-user

### Do create fall back user(s) locally on the srx for events when tacacs server isnt accesible###

Thanx and Regards

Anim Saxena

*Rate helpful posts*

Peter Long · ‎03-01-2015

I know this is an old post, but I've been struggling with this recently and now I've got it cracked. Heres how to set it up.

JunOS - Using TACACS+ With Cisco ACS

Pete

Cisco ACS 5.1 Tacacs with Juniper Srx 210

Cisco Nexus シリーズ : Radius/Tacacs+ のトラブルシューティング

ISE - O que precisamos saber sobre TACACS+

Nexus Dashboard: acs コマンドについて (version 3.x)

ACS Upgrade Path 一覧(5.1/5.2/5.3/5.4/5.5/5.6/5.7/5.8/5.8.1)

Cisco ISE - RADIUS vs TACACS+, quem ganha essa batalha?