12-21-2009 09:14 PM - edited 03-10-2019 04:51 PM
Hi,
Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1
The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.
Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase. There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).
Using ACS 4.1, both CLI and JWEB authentication works.
There is a relevant post on the Juniper forum.
I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)
Any thoughts?
Thanks,
Bruce
12-22-2009 07:45 AM
Hi Bruce:
Could you please ensure that we have the below listed attributes defined on ACS 5.x
vsys mandatory root
Privilege mandatory root
Where;
vsys and privilege are attributes.
mandatory is requirement
root is value
You can check this under
Policy Elements > Authorization and Permissions > Device
Administration > Shell Profiles > Edit the profile > custom attributes.
HTH
JK
Plz rate helpful posts-
12-22-2009 03:55 PM
Hi jkatyal,
Thanks for the suggestion.
I added the attributes to the shell profile but was still unable to login via the JWEB interface.
The attribute originally entered, local-user-name is what enables the CLI login to work, this maps the authenticated (via ACS) user to the Juniper defined local user, readwrite.
Any further ideas much appreciated.
Bruce
12-22-2009 03:56 PM
Hi jkatyal,
Thanks for the suggestion.
I added the attributes to the shell profile but was still unable to login via the JWEB interface.
The attribute originally entered, local-user-name is what enables the CLI login to work, this maps the authenticated (via ACS) user to the Juniper defined local user, readwrite.
Any further ideas much appreciated.
Bruce
05-31-2013 07:33 AM
Hi
Did this ever get resolved? I have practically the same question up on another post
Thanks
Simon
05-31-2013 07:56 AM
I know simon.
Bruce: Any thoughts?
Jatin Katyal
- Do rate helpful posts -
06-03-2013 05:54 AM
Bruce,
I know its really too late. However, posting a link for you in case you wish to go through it.
https://supportforums.cisco.com/message/3954494#3954494
Jatin Katyal
- Do rate helpful posts -
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: