Solved: Re: how to configure ACS 5.2 to manage Junos 10.4R6.5 fwl via T

Marlon Malinao · ‎05-24-2012

Hi All,

I have a newly installed ACS 5.2 appliance integrated with our AD and its working with cisco products, switches routers and etc. Now i would like to include Juniper firewalls as well to be authenticated via ACS 5.2 either via ssh and web access. Can someone share me how to initiated this, policy creation.

fyi: i have 2 AD groups regionaladm and regionalops, read/write and read access respectively.

regards,

Marlon

spindoctor64 · ‎05-25-2012

Marlon,

I have pasted in a config below that I did for our ScreenOS firewalls to work with Cisco ACS v5.2. This config may not work since yours is Junos, but it might get you closer to figuring it out. Also, if you haven't been on the Juniper J-Net to ask around there, give it a shot. (forums.juniper.net)

Good luck!

--Chris

Title: Configuration Example - Juniper SSG and Cisco ACS v5.x

Product: Juniper SSG320M (Cisco ACS v5.x)

Version: ScreenOS 6.3.0r10.0 (Cisco ACS v5.2.0.26.8)

Network Topology:

[Juniper SSG320M]-----[Cisco 3560 Switch]-----[Cisco ACS VM]

Description:

Purpose - Authenticate SSG administrators using TACACS+ instead of local logins

Description - This configuration is for Cisco ACS v5.x, JTAC only had the v3.3 configuration.

ACS v5.x is a Linux-based VM with a completely new user interface and structure.

Configuration:

Configure the Juniper (CLI)

1. Add the Cisco ACS and TACACS+ configuration

     set auth-server CiscoACSv5 id 1
     set auth-server CiscoACSv5 server-name 192.168.1.100
     set auth-server CiscoACSv5 account-type admin
     set auth-server CiscoACSv5 type tacacs
     set auth-server CiscoACSv5 tacacs secret CiscoACSv5
     set auth-server CiscoACSv5 tacacs port 49
     set admin auth server CiscoACSv5
     set admin auth remote primary
     set admin auth remote root
     set admin privilege get-external

Configure the Cisco ACS v5.x (GUI)
1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
        Create the Juniper Shell Profile.
        Click the [Create] button at the bottom of the page
                Select the General tab
                        Name:    Juniper
                        Description: Custom Attributes for Juniper SSG320M
                Select the Custom Attributes tab

                    Add the vsys attribute:
                        Attribute:                vsys
                        Requirement:       Manadatory
                        Value:                    root
                        Click the [Add^] button above the Attribute field

Add the privilege attribute:

                        Attribute:                privilege
                        Requirement:       Manadatory
                        Value:                    root

                                Note: you can also use 'read-write' but then local admin doesn't work correctly
                        Click the [Add^] button above the Attribute field
                Click the [Submit] button at the bottom of the page

2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
        Create the Juniper Authorization Policy and filter by Device IP Address.
        Click the [Customize] button at the bottom Right of the page
                Under Customize Conditions, select Device IP Address from the left window
                        Click the [>] button to add it
                Click the [OK] button to close the window

                Click the [Create] button at the bottom of the page to create a new rule
                        Under General, name the new rule Juniper, and ensure it is Enabled
                        Under Conditions, check the box next to Device IP Address
                                Enter the ip address of the Juniper (192.168.1.100)
                        Under Results, click the [Select] button next to the Shell Profile field
                                Select 'Juniper' and click the [OK] button
                        Under Results, click the [Select] button below the Command Sets (if used) field
                                Select 'Permit All' and ensure all other boxes are UNCHECKED
                        Click the [OK] button to close the window
                Click the [OK] button at the bottom of the page to close the window
                Check the box next to the Juniper policy, then move the policy to the top of the list
                Click the [Save Changes] button at the bottom of the page

Verification:

Login to the Juniper CLI and GUI using an ACS Internal User account, and attempt to change something to verify privilege level.

View solution in original post

spindoctor64 · ‎05-25-2012

On my SSG, I have the following:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

On the SSG webGUI, I go to Configuration > Admin > Administrators and there is a drop-down for "Admin Auth Server." I have "Local/CiscoACS" selected. I don't know if your firewall has the same sort of setting, but that's the best I can come up with.

I hope it helps!

--Chris

View solution in original post

spindoctor64 · ‎05-25-2012

Marlon,

I have pasted in a config below that I did for our ScreenOS firewalls to work with Cisco ACS v5.2. This config may not work since yours is Junos, but it might get you closer to figuring it out. Also, if you haven't been on the Juniper J-Net to ask around there, give it a shot. (forums.juniper.net)

Good luck!

--Chris

Title: Configuration Example - Juniper SSG and Cisco ACS v5.x

Product: Juniper SSG320M (Cisco ACS v5.x)

Version: ScreenOS 6.3.0r10.0 (Cisco ACS v5.2.0.26.8)

Network Topology:

[Juniper SSG320M]-----[Cisco 3560 Switch]-----[Cisco ACS VM]

Description:

Purpose - Authenticate SSG administrators using TACACS+ instead of local logins

Description - This configuration is for Cisco ACS v5.x, JTAC only had the v3.3 configuration.

ACS v5.x is a Linux-based VM with a completely new user interface and structure.

Configuration:

Configure the Juniper (CLI)

1. Add the Cisco ACS and TACACS+ configuration

     set auth-server CiscoACSv5 id 1
     set auth-server CiscoACSv5 server-name 192.168.1.100
     set auth-server CiscoACSv5 account-type admin
     set auth-server CiscoACSv5 type tacacs
     set auth-server CiscoACSv5 tacacs secret CiscoACSv5
     set auth-server CiscoACSv5 tacacs port 49
     set admin auth server CiscoACSv5
     set admin auth remote primary
     set admin auth remote root
     set admin privilege get-external

Configure the Cisco ACS v5.x (GUI)
1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
        Create the Juniper Shell Profile.
        Click the [Create] button at the bottom of the page
                Select the General tab
                        Name:    Juniper
                        Description: Custom Attributes for Juniper SSG320M
                Select the Custom Attributes tab

                    Add the vsys attribute:
                        Attribute:                vsys
                        Requirement:       Manadatory
                        Value:                    root
                        Click the [Add^] button above the Attribute field

Add the privilege attribute:

                        Attribute:                privilege
                        Requirement:       Manadatory
                        Value:                    root

                                Note: you can also use 'read-write' but then local admin doesn't work correctly
                        Click the [Add^] button above the Attribute field
                Click the [Submit] button at the bottom of the page

2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
        Create the Juniper Authorization Policy and filter by Device IP Address.
        Click the [Customize] button at the bottom Right of the page
                Under Customize Conditions, select Device IP Address from the left window
                        Click the [>] button to add it
                Click the [OK] button to close the window

                Click the [Create] button at the bottom of the page to create a new rule
                        Under General, name the new rule Juniper, and ensure it is Enabled
                        Under Conditions, check the box next to Device IP Address
                                Enter the ip address of the Juniper (192.168.1.100)
                        Under Results, click the [Select] button next to the Shell Profile field
                                Select 'Juniper' and click the [OK] button
                        Under Results, click the [Select] button below the Command Sets (if used) field
                                Select 'Permit All' and ensure all other boxes are UNCHECKED
                        Click the [OK] button to close the window
                Click the [OK] button at the bottom of the page to close the window
                Check the box next to the Juniper policy, then move the policy to the top of the list
                Click the [Save Changes] button at the bottom of the page

Verification:

Login to the Juniper CLI and GUI using an ACS Internal User account, and attempt to change something to verify privilege level.

Marlon Malinao · ‎05-25-2012

thanks!!! this is very helpful, how to ensure that juniper will fallback to local account once acs is not available?

Sent from Cisco Technical Support iPad App

spindoctor64 · ‎05-25-2012

On my SSG, I have the following:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

On the SSG webGUI, I go to Configuration > Admin > Administrators and there is a drop-down for "Admin Auth Server." I have "Local/CiscoACS" selected. I don't know if your firewall has the same sort of setting, but that's the best I can come up with.

I hope it helps!

--Chris

how to configure ACS 5.2 to manage Junos 10.4R6.5 fwl via TACACS+