Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8749
Views
0
Helpful
5
Replies

Using Cisco ACS 5.2 (TACACS+) with non-Cisco equipment

Go to solution
johnfitzpatrick3
Level 1
Level 1

‎01-11-2011 02:58 AM - edited ‎03-10-2019 05:42 PM

Hi all,

I was hoping someone could help me with what might be a stupid question. I'm trying to implement a solution whereby an operator can centrally control all of their (non-Cisco) network nodes via TACACS+ The nodes involved are

Juniper M120, M10i running Junos 9.2

Juniper M320 running Junos 8.5

Extreme BD8810 and BD8806 running XOS 12.4.1.17

Extreme Alpine 3804 running Extremeware 7.8.3.5

My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using TACACS+  to these non-Cisco devices. Has anyone else done this or will I have to use RADIUS? If anyone has done this are there any interoperability problems with Cisco CS and Junos or Extreme XOS. Thanks

/John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dchamorro
Level 1
Level 1

‎01-14-2011 10:20 AM

John,

We have a very large Juniper deployment (T-series, MX-series, etc). We use Cisco ACS and TACACS to manage these devices. The configuration on the ACS is fairly simple. You'll want to create login users and map them to classes on your JUNOS routers. Here is an example:

set system login user Engineering uid 2000
set system login user Engineering class Engineering-Class
set system login user NOC uid 2001
set system login user NOC class NOC-Class

set system login class Engineering-Class idle-timeout 15
set system login class Engineering-Class permissions all
set system login class NOC-Class idle-timeout 15
set system login class NOC-Class permissions view
set system login class NOC-Class permissions view-configuration

We use two classes, and Engineering and NOC. One is set as a read-write and the latter read-only. This in turn is then mapped in ACS (in our case version 4.2) either via user or group (preferably). First you modify the interface configuration and add a tacacs service as junos-exec and leave the protocol field blank. Next you modify the group with the proper user attributes. I've attached screen shots for both to this thread.

Hopefully this helps.

Derek

View solution in original post

Preview file
87 KB
0 Helpful
5 Replies 5

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee

‎01-11-2011 03:01 AM

Hi John,

As long as the non-Cisco devices can "speak" TACACS+, this should definitely be possible.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Federico Ziliotto

‎01-11-2011 09:37 AM

TACACS+ is a Cisco proprietary protocol, so I doubt any non-Cisco vendor can support it.

PK

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎01-11-2011 09:54 AM

You may actually need to verify with the non-Cisco vendor: being TACACS+ a Cisco proprietary protocol might not necessarily mean that other vendors are not complying with it.

Regards,

Fede

0 Helpful

Go to solution
dchamorro
Level 1
Level 1

‎01-14-2011 10:20 AM

John,

We have a very large Juniper deployment (T-series, MX-series, etc). We use Cisco ACS and TACACS to manage these devices. The configuration on the ACS is fairly simple. You'll want to create login users and map them to classes on your JUNOS routers. Here is an example:

set system login user Engineering uid 2000
set system login user Engineering class Engineering-Class
set system login user NOC uid 2001
set system login user NOC class NOC-Class

set system login class Engineering-Class idle-timeout 15
set system login class Engineering-Class permissions all
set system login class NOC-Class idle-timeout 15
set system login class NOC-Class permissions view
set system login class NOC-Class permissions view-configuration

We use two classes, and Engineering and NOC. One is set as a read-write and the latter read-only. This in turn is then mapped in ACS (in our case version 4.2) either via user or group (preferably). First you modify the interface configuration and add a tacacs service as junos-exec and leave the protocol field blank. Next you modify the group with the proper user attributes. I've attached screen shots for both to this thread.

Hopefully this helps.

Derek

Preview file
87 KB
0 Helpful

Go to solution
johnfitzpatrick3
Level 1
Level 1
In response to dchamorro

‎01-17-2011 09:20 AM

Hi all,

Thanks for your replies in particular your one Derek, very useful config information in there and it's good to have it confirmed that it is deployed in the real world as well. Thanks again everyone.

/John

0 Helpful
Customers Also Viewed These Support Documents