06-30-2013 05:48 AM - last edited on 03-10-2019 08:36 PM by NikolaIvanov
Tacacs Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.
set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external
Please Advice
07-04-2013 01:24 PM
Paket capture is already attached, I am using the same key in ACS and the firewall, the firewall IP:10.10.218.17 ACS IP: 10.10.36.37
07-04-2013 01:28 PM
I guess you have posted a screen shot. I am looking forward to have the file that can be downloaded for analysis.
~BR
Jatin Katyal
**Do rate helpful posts**
07-04-2013 01:34 PM
There is no option to attched .pcap file, so I try to post the screen shot.
07-04-2013 01:40 PM
When you hit reply next time, you'll see an option "advanced editor" click on that, at bottom you will then see an option to browse and attach file.
~BR
Jatin Katyal
**Do rate helpful posts**
07-06-2013 10:53 PM
07-06-2013 11:54 PM
Tacacs shared secret key?
~BR
Jatin Katyal
**Do rate helpful posts**
07-07-2013 12:19 AM
Tacacs shared secret key is bsfkey9
07-07-2013 07:03 AM
where did you exactly take the captures? I don't see any packets destined to ACS. You may span the switch port where juniper firewall is connected.
~BR
Jatin Katyal
**Do rate helpful posts**
07-07-2013 07:42 AM
I connected remotely to the Juniper firewall, get captured using Wireshark software from my office PC.
07-07-2013 10:56 PM
Is this way to capture the packets is right or not please advice.
07-07-2013 11:06 PM
No, you need to apply span on the switch port where Juniper firewall interface is connected on switch to capture traffic unless there is an inbuilt feature in juniper to take tcpdump.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml
We can also take captures from the ACS however that needs root access to linux bash shell. The one take from ACS CLI doesn't provide much info.
In case this issue is urgent and you need quick fix, I'd suggest a TAC case else we can troubleshoot here.
~BR
Jatin Katyal
**Do rate helpful posts**
07-08-2013 05:30 AM
I have root access for the ACS, i can captures from the ACS even this way doesn't provide much info.but it can lead to a solution, please send me the steps to use this capture.
07-08-2013 07:45 AM
When I try to configure monitor session command on C6509 sitch I got error message: % local session limit has been exceeded. How to resolve this?
07-08-2013 09:48 AM
You can have max. of 2 SPAN sessions per Cisco device.
You'll need to remove one of the existing sessions to set up a new one.
07-08-2013 09:45 AM
Here's our ScreenOS config:
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "“tacacs1_2”" id 1
set auth-server "“tacacs1_2”" server-name "172.19.x.y"
set auth-server "“tacacs1_2”" account-type admin
set auth-server "“tacacs1_2”" timeout 0
set auth-server "“tacacs1_2”" fail-over revert-interval 1
set auth-server "“tacacs1_2”" type tacacs
set auth-server "“tacacs1_2”" tacacs secret "removed"
set auth-server "“tacacs1_2”" tacacs port 49
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "removed"
set admin password "removed"
set admin access lock-on-failure 30
set admin auth web timeout 10
set admin auth server "“tacacs1_2”"
set admin auth banner telnet login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"
set admin auth banner console login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"
set admin auth remote root
set admin privilege get-external
set admin format dos
=============================
Not sure how to share our ACS config...but under Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles >, we have all the "Common Tasks" set to "not in use", and "Custom Attributes" are set to:
vsys, mandatory, root
privilege, mandatory, root
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide