Re: Configure Juniper Networks permissions in Tacacs?

kkeen · ‎07-21-2005

Hi Guys

I have my SecureACS working well with Cisco devices, and have just completed a basic tacacs setup that works on my Juniper routers.

I want to use the groups already defined in ACS to deploy permit/deny commands to for the Juniper routers - how is this done within Secure ACS for windows?

I can see how its done in unix:

To specify these attributes, include a service statement in the TACACS+ server configuration file of the following form:

service = junos-exec {

local-user-name = <username-local-to-router>

allow-commands = "<allow-commands-regexp>"

deny-commands = "<deny-commands-regexp>"

}

Any ideas? Thank you guys

b.hsu · ‎07-27-2005

In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), CiscoSecure ACS supports RADIUS vendors and VSAs that you define. Cisco Secure ACS also supports up to 10 RADIUS VSAs that you define. You can use the -addUDV option to add up to ten custom RADIUS vendors and VSA sets to CiscoSecure ACS. Each RADIUS vendor and VSA set is added to one of ten possible user-defined RADIUS vendor slots.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/ad.htm#984536

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102179.html#625676

kkeen · ‎07-27-2005

I am not using RADIUS, I am using TACACS - the links only provide information on RADIUS

knowosad · ‎08-08-2005

We have do some tests ACS with Juniper.

I "Interface configuration" add new servies junos-exec without anu protocol, set user and groups (what you prefer), and you can see at user/group configuration new service.

Mark junos-exec as active, mark Custom attributes and enter e.g.:

local-user-name=users1

allow-commands=(show version)|(show configuration)

It should work. :)