Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2190
Views
0
Helpful
0
Replies

Juniper SSG and Cisco ACS v5.x Configuration

spindoctor64
Level 1
Level 1

‎01-26-2012 09:46 AM - edited ‎03-12-2019 05:40 PM

I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.

Configure the Juniper (CLI)

  1. Add the Cisco ACS and TACACS+ configuration

     set auth-server CiscoACSv5 id 1
     set auth-server CiscoACSv5 server-name 192.168.1.100
     set auth-server CiscoACSv5 account-type admin
     set auth-server CiscoACSv5 type tacacs
     set auth-server CiscoACSv5 tacacs secret CiscoACSv5
     set auth-server CiscoACSv5 tacacs port 49
     set admin auth server CiscoACSv5
     set admin auth remote primary
     set admin auth remote root
     set admin privilege get-external

Configure the Cisco ACS v5.x (GUI)
  1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
        Create the Juniper Shell Profile.
        Click the [Create] button at the bottom of the page
                Select the General tab
                        Name:    Juniper
                        Description:  Custom Attributes for Juniper SSG320M
                Select the Custom Attributes tab

                    Add the vsys attribute:
                        Attribute:                vsys
                        Requirement:       Manadatory
                        Value:                    root
                        Click the [Add^] button above the Attribute field

                    Add the privilege attribute:

                        Attribute:                privilege
                        Requirement:       Manadatory
                        Value:                    root

                                Note: you can also use 'read-write' but then local admin doesn't work correctly
                        Click the [Add^] button above the Attribute field
                Click the [Submit] button at the bottom of the page

2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
        Create the Juniper Authorization Policy and filter by Device IP Address.
        Click the [Customize] button at the bottom Right of the page
                Under Customize Conditions, select Device IP Address from the left window
                        Click the [>] button to add it
                Click the [OK] button to close the window

                Click the [Create] button at the bottom of the page to create a new rule
                        Under General, name the new rule Juniper, and ensure it is Enabled
                        Under Conditions, check the box next to Device IP Address
                                Enter the ip address of the Juniper (192.168.1.100)
                        Under Results, click the [Select] button next to the Shell Profile field
                                Select 'Juniper' and click the [OK] button
                        Under Results, click the [Select] button below the Command Sets (if used) field
                                Select 'Permit All' and ensure all other boxes are UNCHECKED
                        Click the [OK] button to close the window
                Click the [OK] button at the bottom of the page to close the window
                Check the box next to the Juniper policy, then move the policy to the top of the list
                Click the [Save Changes] button at the bottom of the page

3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents