Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Report Inappropriate Content · ‎06-30-2013

Tacacs Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.

set auth-server TACACS+ id 1

set auth-server TACACS+ server-name 10.10.xx.yy

set auth-server TACACS+ account-type admin

set auth-server TACACS+ type tacacs

set auth-server TACACS+ tacacs secret xxxx

set auth-server TACACS+ tacacs port 49

set admin auth server TACACS+

set admin auth remote primary

set admin auth remote root

set admin privilege get-external set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

Please Advice

Jatin Katyal · ‎06-30-2013

Could you please post the screen shot of attributes you've defined under:

Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Edit the profile > custom attributes

Also, you may go through this:

https://supportforums.cisco.com/message/3954494#3954494

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Report Inappropriate Content · ‎06-30-2013

By the way link:

https://supportforums.cisco.com/message/3954494#3954494

For SRX not Screen OS.

Report Inappropriate Content · ‎07-01-2013

Below screen shot for Authentication and Authorization on ACS:

Report Inappropriate Content · ‎07-02-2013

Any upgates, ideas .......

Jatin Katyal · ‎07-02-2013

Since, ACS shows passed authentication and authorization. We should now look at the packet capture to see TACACS+ Query and Response to further investigate this issue. I worked with a CSC member few weeks ago where we found that Juniper in authorization QUERY only sending Arg[0] value: service=shell and didn't send "cmd=" arg. This is known issue with Juniper device so we ended up upgrading the device to WX OS 5.7.7 (WXC-3400). You may want to look at the same discussion: https://supportforums.cisco.com/thread/2215574

.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Report Inappropriate Content · ‎07-02-2013

I went through https://supportforums.cisco.com/thread/2215574 which is for WXC-3400 wan optmaization, the Juniper device I am using is SSG5 firewall Firmware Version:6.2.0r5.0 which support T+, as per the link should I upgrade the exisiting IOS or there is a solution ?

Jatin Katyal · ‎07-02-2013

Can you first provide the packet capture b/w the Juniper and ACS (along with tacacs+ key).

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Report Inappropriate Content · ‎07-03-2013

please find below:

Report Inappropriate Content · ‎07-04-2013

Any updates !!!

Jatin Katyal · ‎07-04-2013

Could you please attach the pcap file with tacacs shared secret key.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Report Inappropriate Content · ‎07-04-2013

Please find below:

huangedmc · ‎07-04-2013

We too, have Juniper firewalls running ScreenOS.

In our ACS Shell Profile, the Privilege value is set to "root" instead of "read-write", which seems to work for us.

Perhaps you can give that a try?

Report Inappropriate Content · ‎07-04-2013

I try the same, but it dose not work, however I upgrade the firewall frimware today to the latest version, nothing changes. I appreciate if you share me your firewall + ACS configurations.

Jatin Katyal · ‎07-04-2013

You can send me the packet capture file, tacacs key that you have defined on Juniper and ACS and ip address in private.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin