Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4080
Views
0
Helpful
6
Replies

Juniper JWEB Authentication via TACACS to ACS 5.1

bruce-walker
Level 1
Level 1

‎12-21-2009 09:14 PM - edited ‎03-10-2019 04:51 PM

Hi,

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1

The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.

Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).

Using ACS 4.1, both CLI and JWEB authentication works.

There is a relevant post on the Juniper forum.

http://forums.juniper.net/t5/Ethernet-Switching/EX4200-and-tacacs-authentication-JWEB-interface-do-not-work-with/m-p/29753

I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

Any thoughts?

Thanks,

Bruce

Labels:
0 Helpful
6 Replies 6

Jatin Katyal
Cisco Employee
Cisco Employee

‎12-22-2009 07:45 AM

Hi Bruce:


Could you please ensure that we have the below listed attributes defined on ACS 5.x

vsys           mandatory  root
Privilege   mandatory   root

Where;

vsys and privilege are attributes.
mandatory is requirement
root is value

You can check this under

Policy Elements  > Authorization and Permissions  > Device
Administration > Shell Profiles > Edit the profile >  custom attributes.


HTH

JK


Plz rate helpful posts-


~Jatin
0 Helpful

bruce-walker
Level 1
Level 1
In response to Jatin Katyal

‎12-22-2009 03:55 PM

Hi jkatyal,

Thanks for the suggestion.

I added the attributes to the shell profile but was still unable to login via the JWEB interface.

The attribute originally entered, local-user-name is what enables the CLI login to work, this maps the authenticated (via ACS) user to the Juniper defined local user, readwrite.

Any further ideas much appreciated.

Bruce

shell profile attributes.jpg

0 Helpful

bruce-walker
Level 1
Level 1
In response to Jatin Katyal

‎12-22-2009 03:56 PM

Hi jkatyal,

Thanks for the suggestion.

I added the attributes to the shell profile but was still unable to login via the JWEB interface.

The attribute originally entered, local-user-name is what enables the CLI login to work, this maps the authenticated (via ACS) user to the Juniper defined local user, readwrite.

Any further ideas much appreciated.

Bruce

shell profile attributes.jpg

0 Helpful

Simon Young
Level 1
Level 1
In response to bruce-walker

‎05-31-2013 07:33 AM

Hi

Did this ever get resolved? I have practically the same question up on another post

Thanks

Simon

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Simon Young

‎05-31-2013 07:56 AM

I know  simon.

Bruce: Any thoughts?

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎06-03-2013 05:54 AM

Bruce,

I know its really too late. However, posting a link for you in case you wish to go through it.

https://supportforums.cisco.com/message/3954494#3954494

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents