Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Juniper SSG and Cisco ACS v5.x Configuration

I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.

Configure the Juniper (CLI)

  1. Add the Cisco ACS and TACACS+ configuration

     set auth-server CiscoACSv5 id 1
     set auth-server CiscoACSv5 server-name
     set auth-server CiscoACSv5 account-type admin
     set auth-server CiscoACSv5 type tacacs
     set auth-server CiscoACSv5 tacacs secret CiscoACSv5
     set auth-server CiscoACSv5 tacacs port 49
     set admin auth server CiscoACSv5
     set admin auth remote primary
     set admin auth remote root
     set admin privilege get-external

Configure the Cisco ACS v5.x (GUI)
  1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
        Create the Juniper Shell Profile.
        Click the [Create] button at the bottom of the page
                Select the General tab
                        Name:    Juniper
                        Description:  Custom Attributes for Juniper SSG320M
                Select the Custom Attributes tab

                    Add the vsys attribute:
                        Attribute:                vsys
                        Requirement:       Manadatory
                        Value:                    root
                        Click the [Add^] button above the Attribute field

                    Add the privilege attribute:

                        Attribute:                privilege
                        Requirement:       Manadatory
                        Value:                    root

                                Note: you can also use 'read-write' but then local admin doesn't work correctly
                        Click the [Add^] button above the Attribute field
                Click the [Submit] button at the bottom of the page

2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
        Create the Juniper Authorization Policy and filter by Device IP Address.
        Click the [Customize] button at the bottom Right of the page
                Under Customize Conditions, select Device IP Address from the left window
                        Click the [>] button to add it
                Click the [OK] button to close the window

                Click the [Create] button at the bottom of the page to create a new rule
                        Under General, name the new rule Juniper, and ensure it is Enabled
                        Under Conditions, check the box next to Device IP Address
                                Enter the ip address of the Juniper (
                        Under Results, click the [Select] button next to the Shell Profile field
                                Select 'Juniper' and click the [OK] button
                        Under Results, click the [Select] button below the Command Sets (if used) field
                                Select 'Permit All' and ensure all other boxes are UNCHECKED
                        Click the [OK] button to close the window
                Click the [OK] button at the bottom of the page to close the window
                Check the box next to the Juniper policy, then move the policy to the top of the list
                Click the [Save Changes] button at the bottom of the page

3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube