08-06-2012 11:05 PM - edited 03-10-2019 07:23 PM
Hi All,
I have ACS 5.2 and JUNOS 10.6.x I setup 2 classes eng-class and ops-class with read/write and read-only permission
here is my configuration on JUNOS
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx
set system login class ops-class idle-timeout 15
set system login class ops-class permissions [ view view-configuration ]
set system login user operator full-name “Regional-Operations”
set system login user operator uid 2002
set system login user operator class ops-class
set system login user operator authentication plain-text-password xxxxxxx
set system authentication-order tacplus password
set system tacplus-options no-cmd-attribute-value
set system tacplus-server xxxx.xxx.xxx.xxx secret xxxxxxxx
set system tacplus-server xxx.xxx.xxx.xxx timeout 5
set system tacplus-server xxx.xxx.xxx.xxx source-address xxx.xxx.xxx.
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus server xxx.xxx.xxx.xxx secret xxxxxxx
set system accounting destination tacplus server xxxx.xxx.xxx.xxx timeout 5
ACS 5.2
shell profile
junos-eng
attribute=local-user-name
value=engineer
junos-ops
attribute=local-user-name
value=operator
I have 2 separate Authorization policies for engineer and operator group.
Result,
1. engineering group is working fine.
2. the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.
3. Web authentication is not also working for bot group.
Any advice?
rgds,
Marlon
thanks.
Solved! Go to Solution.
08-31-2012 11:18 PM
Marlon,
Did you try sending back the class attribute itself instead of sending back the role attribute. I tried to look around for any tacacs examples from Juniper side and I do not see anything that appears with an attribute named "value" I do see a few references for the class attribute.
Here looks to be a set of attributes you can use in the junos 10.0 guide for remote authentication:
Can you make the changes and see if this works:
junos-eng
attribute=local-user-name
class=eng-class
junos-ops
attribute=local-user-name
class=ops-class
ALSO...can you see if you can map them straight into the permissions on the ACS side:
Thanks,
Thanks,
Tarik Admani
*Please rate helpful posts*
09-03-2012 12:26 AM
Based on reading the article it looks like you will have to set the permissions as the attribute and the list of commands as the value...Try the following "permissions=access" and see if the following holds true...
access
Can view the access configuration in configuration mode using the show configuration operational mode command.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-12-2012 08:05 PM
Hi,
Hope anyone can help me about this problem.
Thanks.
08-29-2012 08:46 AM
Anybody?
Sent from Cisco Technical Support iPad App
08-29-2012 11:17 PM
Marlon,
On your shell profile can you delete all the attributes and try to re-enter them in, I have seen in the past that if there is a leading
thanks,
Tarik Admani
*Please rate helpful posts*
08-30-2012 06:47 PM
Hi Tarik Admani,
Thanks for the advice, i have tried this as well and it still not working.
Thanks,
Marlon
08-30-2012 07:53 PM
Marlon,
I tried to find some information on configuring tacacs for junos 10.6 but didnt find anything. Do you have a link to the documentation.
Did you create a local role engineer, and operator locally?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-31-2012 10:58 PM
Hi,
Yes it is local account.
Sent from Cisco Technical Support iPad App
08-31-2012 11:18 PM
Marlon,
Did you try sending back the class attribute itself instead of sending back the role attribute. I tried to look around for any tacacs examples from Juniper side and I do not see anything that appears with an attribute named "value" I do see a few references for the class attribute.
Here looks to be a set of attributes you can use in the junos 10.0 guide for remote authentication:
Can you make the changes and see if this works:
junos-eng
attribute=local-user-name
class=eng-class
junos-ops
attribute=local-user-name
class=ops-class
ALSO...can you see if you can map them straight into the permissions on the ACS side:
Thanks,
Thanks,
Tarik Admani
*Please rate helpful posts*
09-02-2012 07:50 PM
Thanks,
I would like to try the " remote template" and do the restriction in the acs. Do you know how will i able to do it for allow commands and deny commands?
Sent from Cisco Technical Support iPad App
09-03-2012 12:26 AM
Based on reading the article it looks like you will have to set the permissions as the attribute and the list of commands as the value...Try the following "permissions=access" and see if the following holds true...
access
Can view the access configuration in configuration mode using the show configuration operational mode command.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-04-2012 08:13 AM
Thanks Tarik Admani,
Here is what i did.
-----using one template for all----
set system login class super-user-local idle-timeout 15
set system login class lsuper-user-local permissions all
set system login user remote full-name “Remote Users”
set system login user remote class super-user-local
in ACS
shell profile for enginineering
junos-admin
attribute=local-user-name
mandatory
value=remote
shell profile for ops
junos-ops
attribute=local-user-name
mandatory
value=remote
attribute=deny-commands
mandatory
value=configure , list down alos other commands such as set. on a separate attribute. i.e.
attribute=deny-commands
mandatory
value=set
attribute=allow-commands
mandatory
valute=ping, etc.....
then on my Access policy i have different auhtorization for each group of users which matches on my AD groups.
Thanks Tarik!!
09-04-2012 06:25 PM
Hi,
One thing though is that my web gui login the tacacs doesnt work. only local accounts able to login on my web gui.
any advice.
thanks
marlon
09-04-2012 09:07 PM
Do you see the authentication being sent to acs?
Sent from Cisco Technical Support iPad App
09-05-2012 05:38 AM
Actually that is a good question, no i dont see anything.
marlon
09-05-2012 08:25 AM
HI,
Will this document provide any assistance:
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide