I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1 set auth-server CiscoACSv5 server-name 192.168.1.100 set auth-server CiscoACSv5 account-type admin set auth-server CiscoACSv5 type tacacs set auth-server CiscoACSv5 tacacs secret CiscoACSv5 set auth-server CiscoACSv5 tacacs port 49 set admin auth server CiscoACSv5 set admin auth remote primary set admin auth remote root set admin privilege get-external
Configure the Cisco ACS v5.x (GUI) 1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles Create the Juniper Shell Profile. Click the [Create] button at the bottom of the page Select the General tab Name: Juniper Description: Custom Attributes for Juniper SSG320M Select the Custom Attributes tab
Add the vsys attribute: Attribute: vsys Requirement: Manadatory Value: root Click the [Add^] button above the Attribute field
Note: you can also use 'read-write' but then local admin doesn't work correctly Click the [Add^] button above the Attribute field Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization Create the Juniper Authorization Policy and filter by Device IP Address. Click the [Customize] button at the bottom Right of the page Under Customize Conditions, select Device IP Address from the left window Click the [>] button to add it Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule Under General, name the new rule Juniper, and ensure it is Enabled Under Conditions, check the box next to Device IP Address Enter the ip address of the Juniper (192.168.1.100) Under Results, click the [Select] button next to the Shell Profile field Select 'Juniper' and click the [OK] button Under Results, click the [Select] button below the Command Sets (if used) field Select 'Permit All' and ensure all other boxes are UNCHECKED Click the [OK] button to close the window Click the [OK] button at the bottom of the page to close the window Check the box next to the Juniper policy, then move the policy to the top of the list Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.
Threat Response Basics
What is Threat Response and how can it help my organization?
What is the cost of Threat Response?
What are the deployment options for Threat Response?
Is Threat Response available outside of the United States?
Gartner has once again named Cisco a Leader in the Magic Quadrant for Network Firewalls. This distinction recognizes Cisco's ingenuity in redefining the firewall as the basis for an integrated security platform.
Find out how Cisco stands out from the comp...
Hi experts,I would like any suggestions on this topology. We are is the middle of replacing our old ASA5520 with the new FirePower. Our current firewall terminate our IPsec tunnels and the GRE is terminated on the first inside router's loopback on the sec...
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...