Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
2
Replies

ISE 2.3 - TACACS+ - Returning a different Username to Juniper Device

jake.pratt@rate.com
Level 1
Level 1

‎03-05-2019 11:15 AM

I am running ISE 2.3 as a tacacs+ server.  I have it working well with my Cisco devices.  It is integrated with AD as an external identity source.  I am using a default authentication policy that checks against AD.  I also have a couple different authorization policies: one that grants shell access with full access, and one that grants shell access with only access to "show" commands.  Those work great on all my Cisco devices.

 

My problem is that I have a bunch of Juniper firewalls.  They are configured so that user "remote" has operator level privilege, and the user "remote-su" has super-user privilege.  When any users authentication with ISE, they are brought in as "remote" and are only given "operator" privilege.  I am looking for a way to come back to the Juniper with the user name "remote" or "remote-su".  Something like this:

 

Case 1:

User jsmith logs in

hits ISE > he is a network admin

return "remote-su" username to Juniper

he is given super-user privilege

 

Case 2:

User ajones logs in

hits ISE > he is a helpdesk tech

returns "remote" username to Juniper

he is given operator privilege

 

I've been doing lots of reading, and haven't come up with a way to accomplish this specific task.  Does anyone know of a way to do this?  If there is a better way to do it that doesn't involve passing the usernames remote/remote-su back to the Juniper, I'm all ears as well.  It just seemed like one possible solution.  I know I can go into each Juniper and specify permissions for jsmith and ajones, but that defeats the purpose of using ISE.  I want everything to be configured in AD and ISE, as far as user accounts and permissions go.

 

Thanks in advance.

0 Helpful
2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

‎03-09-2019 04:56 AM

The only way I have seen this was back in the ACS days with shadow accounts on Juniper. You configure local accounts mapped to the permissions you want, and then from ACS/ISE you send back the user. You leverage a custom attribute like local-user-name to accomplish this. Pretty sure that's what you are trying to avoid.

On juniper you would create a RO and super user accounts, set up for the roles you want. ISE authentication still takes place as it would, creating authorization rules based on the AD accounts. Then with the result you send back RO account with "local-user-name" if they match RO only access, and super if they match super. Worked good.

Juniper has their short list of attributes documented. Have you considered the allow-configuration and deny-configuration, would it accomplish what you need?
https://www.juniper.net/documentation/en_US/src4.7/topics/reference/general/tacas-radius-authentication-attributes.html

0 Helpful

jake.pratt@rate.com
Level 1
Level 1
In response to Damien Miller

‎03-11-2019 07:10 AM

Thank you for your reply Damien!  What you're describing is exactly what I'm trying to do.  However, I'm not sure exactly how to pass the "local-user-name" back to Juniper.  Any help on how to do that?

0 Helpful
Customers Also Viewed These Support Documents