01-11-2011 02:58 AM - edited 03-10-2019 05:42 PM
Hi all,
I was hoping someone could help me with what might be a stupid question. I'm trying to implement a solution whereby an operator can centrally control all of their (non-Cisco) network nodes via TACACS+ The nodes involved are
Juniper M120, M10i running Junos 9.2
Juniper M320 running Junos 8.5
Extreme BD8810 and BD8806 running XOS 12.4.1.17
Extreme Alpine 3804 running Extremeware 7.8.3.5
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using TACACS+ to these non-Cisco devices. Has anyone else done this or will I have to use RADIUS? If anyone has done this are there any interoperability problems with Cisco CS and Junos or Extreme XOS. Thanks
/John
Solved! Go to Solution.
01-14-2011 10:20 AM
John,
We have a very large Juniper deployment (T-series, MX-series, etc). We use Cisco ACS and TACACS to manage these devices. The configuration on the ACS is fairly simple. You'll want to create login users and map them to classes on your JUNOS routers. Here is an example:
set system login user Engineering uid 2000
set system login user Engineering class Engineering-Class
set system login user NOC uid 2001
set system login user NOC class NOC-Class
set system login class Engineering-Class idle-timeout 15
set system login class Engineering-Class permissions all
set system login class NOC-Class idle-timeout 15
set system login class NOC-Class permissions view
set system login class NOC-Class permissions view-configuration
We use two classes, and Engineering and NOC. One is set as a read-write and the latter read-only. This in turn is then mapped in ACS (in our case version 4.2) either via user or group (preferably). First you modify the interface configuration and add a tacacs service as junos-exec and leave the protocol field blank. Next you modify the group with the proper user attributes. I've attached screen shots for both to this thread.
Hopefully this helps.
Derek
01-11-2011 03:01 AM
Hi John,
As long as the non-Cisco devices can "speak" TACACS+, this should definitely be possible.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-11-2011 09:37 AM
TACACS+ is a Cisco proprietary protocol, so I doubt any non-Cisco vendor can support it.
PK
01-11-2011 09:54 AM
You may actually need to verify with the non-Cisco vendor: being TACACS+ a Cisco proprietary protocol might not necessarily mean that other vendors are not complying with it.
Regards,
Fede
01-14-2011 10:20 AM
John,
We have a very large Juniper deployment (T-series, MX-series, etc). We use Cisco ACS and TACACS to manage these devices. The configuration on the ACS is fairly simple. You'll want to create login users and map them to classes on your JUNOS routers. Here is an example:
set system login user Engineering uid 2000
set system login user Engineering class Engineering-Class
set system login user NOC uid 2001
set system login user NOC class NOC-Class
set system login class Engineering-Class idle-timeout 15
set system login class Engineering-Class permissions all
set system login class NOC-Class idle-timeout 15
set system login class NOC-Class permissions view
set system login class NOC-Class permissions view-configuration
We use two classes, and Engineering and NOC. One is set as a read-write and the latter read-only. This in turn is then mapped in ACS (in our case version 4.2) either via user or group (preferably). First you modify the interface configuration and add a tacacs service as junos-exec and leave the protocol field blank. Next you modify the group with the proper user attributes. I've attached screen shots for both to this thread.
Hopefully this helps.
Derek
01-17-2011 09:20 AM
Hi all,
Thanks for your replies in particular your one Derek, very useful config information in there and it's good to have it confirmed that it is deployed in the real world as well. Thanks again everyone.
/John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide