I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1 set auth-server CiscoACSv5 server-name 192.168.1.100 set auth-server CiscoACSv5 account-type admin set auth-server CiscoACSv5 type tacacs set auth-server CiscoACSv5 tacacs secret CiscoACSv5 set auth-server CiscoACSv5 tacacs port 49 set admin auth server CiscoACSv5 set admin auth remote primary set admin auth remote root set admin privilege get-external
Configure the Cisco ACS v5.x (GUI) 1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles Create the Juniper Shell Profile. Click the [Create] button at the bottom of the page Select the General tab Name: Juniper Description: Custom Attributes for Juniper SSG320M Select the Custom Attributes tab
Add the vsys attribute: Attribute: vsys Requirement: Manadatory Value: root Click the [Add^] button above the Attribute field
Note: you can also use 'read-write' but then local admin doesn't work correctly Click the [Add^] button above the Attribute field Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization Create the Juniper Authorization Policy and filter by Device IP Address. Click the [Customize] button at the bottom Right of the page Under Customize Conditions, select Device IP Address from the left window Click the [>] button to add it Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule Under General, name the new rule Juniper, and ensure it is Enabled Under Conditions, check the box next to Device IP Address Enter the ip address of the Juniper (192.168.1.100) Under Results, click the [Select] button next to the Shell Profile field Select 'Juniper' and click the [OK] button Under Results, click the [Select] button below the Command Sets (if used) field Select 'Permit All' and ensure all other boxes are UNCHECKED Click the [OK] button to close the window Click the [OK] button at the bottom of the page to close the window Check the box next to the Juniper policy, then move the policy to the top of the list Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...
To participate in this event, please use the button to ask your questions
(This event was formerly know as Ask the Expert event)
This topic is a chance to discuss more about the best configuration and troubleshooting pr...