cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
5104
Views
0
Helpful
29
Replies

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Not applicable

Tacacs  Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.

set auth-server TACACS+ id 1

set auth-server TACACS+ server-name 10.10.xx.yy

set auth-server TACACS+ account-type admin

set auth-server TACACS+ type tacacs

set auth-server TACACS+ tacacs secret xxxx

set auth-server TACACS+ tacacs port 49

set admin auth server TACACS+

set admin auth remote primary

set admin auth remote root

set admin privilege get-external set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

Please Advice

29 Replies 29

Paket capture is already attached, I am using the same key in ACS and the firewall, the firewall IP:10.10.218.17 ACS IP: 10.10.36.37

I guess you have posted a screen shot. I am looking forward to have the file that can be downloaded for analysis.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

There is no option to attched .pcap file, so I try to post the screen shot.

When you hit reply next time, you'll see an option "advanced editor" click on that, at bottom you will then see an option to browse and attach file.          

~BR

Jatin Katyal

**Do rate helpful posts**

~Jatin

Please find attached pcap file.

Tacacs shared secret key?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Tacacs shared secret key is bsfkey9

where did you exactly take the captures? I don't see any packets destined to ACS. You may span the switch port where juniper firewall is connected.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

I connected remotely to the Juniper firewall, get captured using Wireshark software from my office PC.

Not applicable

Is this way to capture the packets is right or not please advice.

No, you need to apply span on the switch port  where Juniper firewall interface is connected on switch to capture traffic unless there is an inbuilt feature in juniper to take tcpdump.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

We can also take captures from the ACS however that needs root access to linux bash shell. The one take from ACS CLI doesn't provide much info.

In case this issue is urgent and you need quick fix, I'd suggest a TAC case else we can troubleshoot here.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

  I have root access for the ACS, i can captures from the ACS even this way doesn't provide much info.but it can lead to a solution, please send me the steps to use this capture.

Not applicable

When I try to configure monitor session command on C6509 sitch I got error message: % local session limit has been exceeded. How to resolve this?

You can have max. of 2 SPAN sessions per Cisco device.

You'll need to remove one of the existing sessions to set up a new one.

Here's our ScreenOS config:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth-server "ā€œtacacs1_2ā€" id 1

set auth-server "ā€œtacacs1_2ā€" server-name "172.19.x.y"

set auth-server "ā€œtacacs1_2ā€" account-type admin

set auth-server "ā€œtacacs1_2ā€" timeout 0

set auth-server "ā€œtacacs1_2ā€" fail-over revert-interval 1

set auth-server "ā€œtacacs1_2ā€" type tacacs

set auth-server "ā€œtacacs1_2ā€" tacacs secret "removed"

set auth-server "ā€œtacacs1_2ā€" tacacs port 49

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "removed"

set admin password "removed"

set admin access lock-on-failure 30

set admin auth web timeout 10

set admin auth server "ā€œtacacs1_2ā€"

set admin auth banner telnet login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth banner console login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth remote root

set admin privilege get-external

set admin format dos

=============================

Not  sure how to share our ACS config...but under Policy Elements >  Authorization and Permissions > Device Administration > Shell  Profiles >, we have all the "Common Tasks" set to "not in use", and  "Custom Attributes" are set to:

vsys, mandatory, root

privilege, mandatory, root