cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11207
Views
0
Helpful
8
Replies

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+ Authentication

rodmunch999
Level 1
Level 1

Hi,

I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:

ervice = netscreen {
vsys = root
privilege = read-write
}

I know how to add this to a version v4.x ACS

v4.x ACS.JPG

However, I do not know how to apply this to the custom attribiutes to a v5.x ACS

v5.x ACS.JPG

Do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

Any advice please

1 Accepted Solution

Accepted Solutions

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

View solution in original post

8 Replies 8

justins
Level 1
Level 1

Good question, I'd like to know this as well for the netscreens. For junos, this is how I tried to do it (you would drop the "netscreen" from yours, but not sure if you would add both as mandatory)

Acs4.x setup

junos-exec

  local-user-name=readonly

acs5.2 setup

attribute -  local-user-name

value - readonly

mandatory

# junos config

       }

    login {

        class admin {

            idle-timeout 30;

            permissions all;

        }

        class read-only {

            idle-timeout 30;

            permissions [ view view-configuration ];

        }                              

        user admin {                                 

            class admin;                 

        }                              

        user readonly {                                 

            class read-only;  

The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with).

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

Bingo! Thank you very much Justin - I still had the privilege levels set to 15 but when I removed them but kept in the new attributes it logged in fine.

this worked for me on authorization profile- SHELL.

rommel-peraza
Level 1
Level 1

Hi, I was looking for some help on configuring a Juniper FW on my Cisco ACS v4.0 and I found you guys. Can you tell me which would be the best way to do that or where can I find good documentaction about it?

Thanks.

cburgers
Level 1
Level 1

Has anyone managed to find out why the cisco devices fail authorization when the mandatory custom attribute is enabled?

Justin said

"The problem I have though, is this fixes my login to work to my JunOS  devices, but it breaks the authentication to my Cisco IOS devices. The  AAA logs show that the authentication succeeded, but the router says  "authorization failed". Once I remove either the attribute from my shell  profile, or make it optional then the Cisco router works for auth, but  the JunOS device stops working (The username it tries to use is "remote"  instead of the user I am trying to authenticate with)."

I am currently having the same issue with ACS5.4.

Thanks,

Craig

I was able to make it work using different device groups and shell profiles instead of trying to combine mulitiple together.

Is your issue with IOS devices or NXOS devices (role-based auth)

Justin

Thanks Justin,

I was hoping to use just one shell profile for both device groups. We have it working with seperate profiles, but would be less overhead with one!

I havn't tried NXOS yet, but I imagine it will be a similar story.

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: