cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3530
Views
0
Helpful
6
Replies
Highlighted
Beginner

Juniper JWEB Authentication via TACACS to ACS 5.1

Hi,

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1

The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.

Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).

Using ACS 4.1, both CLI and JWEB authentication works.

There is a relevant post on the Juniper forum.

http://forums.juniper.net/t5/Ethernet-Switching/EX4200-and-tacacs-authentication-JWEB-interface-do-not-work-with/m-p/29753

I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

Any thoughts?

Thanks,

Bruce

6 REPLIES 6
Highlighted
Cisco Employee

Hi Bruce:


Could you please ensure that we have the below listed attributes defined on ACS 5.x

vsys           mandatory  root
Privilege   mandatory   root

Where;

vsys and privilege are attributes.
mandatory is requirement
root is value

You can check this under

Policy Elements  > Authorization and Permissions  > Device
Administration > Shell Profiles > Edit the profile >  custom attributes.


HTH

JK


Plz rate helpful posts-


~Jatin
Highlighted

Hi jkatyal,

Thanks for the suggestion.

I added the attributes to the shell profile but was still unable to login via the JWEB interface.

The attribute originally entered, local-user-name is what enables the CLI login to work, this maps the authenticated (via ACS) user to the Juniper defined local user, readwrite.

Any further ideas much appreciated.

Bruce

shell profile attributes.jpg

Highlighted

Hi jkatyal,

Thanks for the suggestion.

I added the attributes to the shell profile but was still unable to login via the JWEB interface.

The attribute originally entered, local-user-name is what enables the CLI login to work, this maps the authenticated (via ACS) user to the Juniper defined local user, readwrite.

Any further ideas much appreciated.

Bruce

shell profile attributes.jpg

Highlighted

Hi

Did this ever get resolved? I have practically the same question up on another post

Thanks

Simon

Highlighted

I know  simon.

Bruce: Any thoughts?

Jatin Katyal
- Do rate helpful posts -

~Jatin
Highlighted

Bruce,

I know its really too late. However, posting a link for you in case you wish to go through it.

https://supportforums.cisco.com/message/3954494#3954494

Jatin Katyal
- Do rate helpful posts -

~Jatin