Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5072
Views
0
Helpful
29
Replies

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Not applicable

‎06-30-2013 05:48 AM - last edited on ‎03-10-2019 08:36 PM by

Tacacs  Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.

set auth-server TACACS+ id 1

set auth-server TACACS+ server-name 10.10.xx.yy

set auth-server TACACS+ account-type admin

set auth-server TACACS+ type tacacs

set auth-server TACACS+ tacacs secret xxxx

set auth-server TACACS+ tacacs port 49

set admin auth server TACACS+

set admin auth remote primary

set admin auth remote root

set admin privilege get-external set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

Please Advice

Labels:
0 Helpful
29 Replies 29

Not applicable
In response to Jatin Katyal

‎07-04-2013 01:24 PM

Paket capture is already attached, I am using the same key in ACS and the firewall, the firewall IP:10.10.218.17 ACS IP: 10.10.36.37

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to

‎07-04-2013 01:28 PM

I guess you have posted a screen shot. I am looking forward to have the file that can be downloaded for analysis.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Not applicable
In response to Jatin Katyal

‎07-04-2013 01:34 PM

There is no option to attched .pcap file, so I try to post the screen shot.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to

‎07-04-2013 01:40 PM

When you hit reply next time, you'll see an option "advanced editor" click on that, at bottom you will then see an option to browse and attach file.          

~BR

Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Not applicable
In response to Jatin Katyal

‎07-06-2013 10:53 PM

Please find attached pcap file.

15363632-SSG5ACS53.pcap.zip
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to

‎07-06-2013 11:54 PM

Tacacs shared secret key?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Not applicable
In response to Jatin Katyal

‎07-07-2013 12:19 AM

Tacacs shared secret key is bsfkey9

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to

‎07-07-2013 07:03 AM

where did you exactly take the captures? I don't see any packets destined to ACS. You may span the switch port where juniper firewall is connected.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Not applicable
In response to Jatin Katyal

‎07-07-2013 07:42 AM

I connected remotely to the Juniper firewall, get captured using Wireshark software from my office PC.

0 Helpful

Not applicable
In response to

‎07-07-2013 10:56 PM

Is this way to capture the packets is right or not please advice.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to

‎07-07-2013 11:06 PM

No, you need to apply span on the switch port  where Juniper firewall interface is connected on switch to capture traffic unless there is an inbuilt feature in juniper to take tcpdump.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

We can also take captures from the ACS however that needs root access to linux bash shell. The one take from ACS CLI doesn't provide much info.

In case this issue is urgent and you need quick fix, I'd suggest a TAC case else we can troubleshoot here.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Not applicable
In response to Jatin Katyal

‎07-08-2013 05:30 AM

  I have root access for the ACS, i can captures from the ACS even this way doesn't provide much info.but it can lead to a solution, please send me the steps to use this capture.

0 Helpful

Not applicable
In response to

‎07-08-2013 07:45 AM

When I try to configure monitor session command on C6509 sitch I got error message: % local session limit has been exceeded. How to resolve this?

0 Helpful

huangedmc
Level 3
Level 3
In response to

‎07-08-2013 09:48 AM

You can have max. of 2 SPAN sessions per Cisco device.

You'll need to remove one of the existing sessions to set up a new one.

0 Helpful

huangedmc
Level 3
Level 3
In response to

‎07-08-2013 09:45 AM

Here's our ScreenOS config:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth-server "“tacacs1_2”" id 1

set auth-server "“tacacs1_2”" server-name "172.19.x.y"

set auth-server "“tacacs1_2”" account-type admin

set auth-server "“tacacs1_2”" timeout 0

set auth-server "“tacacs1_2”" fail-over revert-interval 1

set auth-server "“tacacs1_2”" type tacacs

set auth-server "“tacacs1_2”" tacacs secret "removed"

set auth-server "“tacacs1_2”" tacacs port 49

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "removed"

set admin password "removed"

set admin access lock-on-failure 30

set admin auth web timeout 10

set admin auth server "“tacacs1_2”"

set admin auth banner telnet login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth banner console login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth remote root

set admin privilege get-external

set admin format dos

=============================

Not  sure how to share our ACS config...but under Policy Elements >  Authorization and Permissions > Device Administration > Shell  Profiles >, we have all the "Common Tasks" set to "not in use", and  "Custom Attributes" are set to:

vsys, mandatory, root

privilege, mandatory, root

0 Helpful
Customers Also Viewed These Support Documents