Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5488
Views
0
Helpful
14
Replies

Setting up ACS 5.2 TACACS Authentication with JUNOS fwl with 2 class user type.

Go to solution
Marlon Malinao
Level 1
Level 1

‎08-06-2012 11:05 PM - edited ‎03-10-2019 07:23 PM

Hi All,

I have ACS 5.2 and JUNOS 10.6.x  I setup 2  classes eng-class and ops-class  with read/write and read-only permission

here is my configuration on JUNOS

set system login class eng-class idle-timeout 15

set system login class eng-class permissions all

set system login user engineer full-name “Regional-Engineering”

set system login user engineer uid 2001

set system login user engineer class eng-class

set system login user engineer authentication plain-text-password xxxxxxx

set system login class ops-class idle-timeout 15

set system login class ops-class permissions [ view view-configuration ]

set system login user operator full-name “Regional-Operations”

set system login user operator uid 2002

set system login user operator class ops-class

set system login user operator authentication plain-text-password xxxxxxx

set system authentication-order tacplus password

set system tacplus-options no-cmd-attribute-value

set system tacplus-server xxxx.xxx.xxx.xxx secret xxxxxxxx

set system tacplus-server xxx.xxx.xxx.xxx timeout 5

set system tacplus-server xxx.xxx.xxx.xxx source-address xxx.xxx.xxx.

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting destination tacplus server xxx.xxx.xxx.xxx secret xxxxxxx

set system accounting destination tacplus server xxxx.xxx.xxx.xxx timeout 5

ACS   5.2

shell profile

junos-eng

attribute=local-user-name

value=engineer

junos-ops

attribute=local-user-name

value=operator

I have 2 separate Authorization policies for engineer and operator group.

Result,

1.  engineering group is working fine.

2.  the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.

3.  Web authentication is not also working for bot group.

Any advice?

rgds,

Marlon

thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marlon Malinao

‎08-31-2012 11:18 PM

Marlon,

Did you try sending back the class attribute itself instead of sending back the role attribute. I tried to look around for any tacacs examples from Juniper side and I do not see anything that appears with an attribute named "value" I do see a few references for the class attribute.

Here looks to be a set of attributes you can use in the junos 10.0 guide for remote authentication:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-system-basics/authentication-user-remote-template-account-configuring.html

Can you make the changes and see if this works:

junos-eng

attribute=local-user-name

class=eng-class

junos-ops

attribute=local-user-name

class=ops-class

ALSO...can you see if you can map them straight into the permissions on the ACS side:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-system-basics/access-privileges-levels-overview.html#id-permbit

Thanks,

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marlon Malinao

‎09-03-2012 12:26 AM

Based on reading the article it looks like you will have to set the permissions as the attribute and the list of commands as the value...Try the following "permissions=access" and see if the following holds true...

access

Can view the access configuration in configuration mode using                      the show configuration operational mode command.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Marlon Malinao
Level 1
Level 1

‎08-12-2012 08:05 PM

Hi,

Hope anyone can help me about this problem.

Thanks.

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to Marlon Malinao

‎08-29-2012 08:46 AM

Anybody?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marlon Malinao

‎08-29-2012 11:17 PM

Marlon,

On your shell profile can you delete all the attributes and try to re-enter them in, I have seen in the past that if there is a leading it will still be sent in the tacacs resposne but will not be present if you revisit the shell profile. Give that a shot and let me know if that helps.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to Tarik Admani

‎08-30-2012 06:47 PM

Hi Tarik Admani,

Thanks for the advice, i have tried this as well and it still not working.

Thanks,

Marlon

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marlon Malinao

‎08-30-2012 07:53 PM

Marlon,

I tried to find some information on configuring tacacs for junos 10.6 but didnt find anything. Do you have a link to the documentation.

Did you create a local role engineer, and operator locally?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to Tarik Admani

‎08-31-2012 10:58 PM

Hi,

Yes it is local account.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marlon Malinao

‎08-31-2012 11:18 PM

Marlon,

Did you try sending back the class attribute itself instead of sending back the role attribute. I tried to look around for any tacacs examples from Juniper side and I do not see anything that appears with an attribute named "value" I do see a few references for the class attribute.

Here looks to be a set of attributes you can use in the junos 10.0 guide for remote authentication:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-system-basics/authentication-user-remote-template-account-configuring.html

Can you make the changes and see if this works:

junos-eng

attribute=local-user-name

class=eng-class

junos-ops

attribute=local-user-name

class=ops-class

ALSO...can you see if you can map them straight into the permissions on the ACS side:

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-system-basics/access-privileges-levels-overview.html#id-permbit

Thanks,

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to Tarik Admani

‎09-02-2012 07:50 PM

Thanks,

I would like to try the " remote template" and do the restriction in the acs. Do you know how will i able to do it for allow commands and deny commands?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marlon Malinao

‎09-03-2012 12:26 AM

Based on reading the article it looks like you will have to set the permissions as the attribute and the list of commands as the value...Try the following "permissions=access" and see if the following holds true...

access

Can view the access configuration in configuration mode using                      the show configuration operational mode command.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to Tarik Admani

‎09-04-2012 08:13 AM

Thanks Tarik Admani,

Here is what i did.

-----using one template for all----

set system login class super-user-local idle-timeout 15

set system login class lsuper-user-local permissions all

set system login user remote full-name “Remote Users”

set system login user remote class super-user-local

in ACS

shell profile for enginineering

junos-admin

attribute=local-user-name

mandatory

value=remote

shell profile for ops

junos-ops

attribute=local-user-name

mandatory

value=remote

attribute=deny-commands

mandatory

value=configure  , list down alos other commands such as set. on a separate attribute. i.e.

attribute=deny-commands

mandatory

value=set

attribute=allow-commands

mandatory

valute=ping,  etc.....

then on my Access policy i have different auhtorization for each group of users which matches on my AD groups.

Thanks Tarik!!

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to Marlon Malinao

‎09-04-2012 06:25 PM

Hi,

One thing though is that my web gui login the tacacs doesnt work. only local accounts able to login on my web gui.

any advice.

thanks

marlon

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Marlon Malinao

‎09-04-2012 09:07 PM

Do you see the authentication being sent to acs?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Marlon Malinao
Level 1
Level 1
In response to Tarik Admani

‎09-05-2012 05:38 AM

Actually that is a good question, no i dont see anything.

marlon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents