ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+ Authentication

Answered Question
Aug 10th, 2011

Hi,

I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:

ervice = netscreen {
vsys = root
privilege = read-write
}

I know how to add this to a version v4.x ACS

v4.x ACS.JPG

However, I do not know how to apply this to the custom attribiutes to a v5.x ACS

v5.x ACS.JPG

Do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

Any advice please

I have this problem too.
0 votes
Correct Answer by justins@kinkos.com about 2 years 8 months ago

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
justins@kinkos.com Wed, 08/10/2011 - 17:27

Good question, I'd like to know this as well for the netscreens. For junos, this is how I tried to do it (you would drop the "netscreen" from yours, but not sure if you would add both as mandatory)

Acs4.x setup

junos-exec

  local-user-name=readonly

acs5.2 setup

attribute -  local-user-name

value - readonly

mandatory

# junos config

       }

    login {

        class admin {

            idle-timeout 30;

            permissions all;

        }

        class read-only {

            idle-timeout 30;

            permissions [ view view-configuration ];

        }                              

        user admin {                                 

            class admin;                 

        }                              

        user readonly {                                 

            class read-only;  

The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with).

Correct Answer
justins@kinkos.com Thu, 08/11/2011 - 13:10

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

rodmunch999 Mon, 08/15/2011 - 22:23

Bingo! Thank you very much Justin - I still had the privilege levels set to 15 but when I removed them but kept in the new attributes it logged in fine.

rommel-peraza Thu, 02/09/2012 - 05:15

Hi, I was looking for some help on configuring a Juniper FW on my Cisco ACS v4.0 and I found you guys. Can you tell me which would be the best way to do that or where can I find good documentaction about it?

Thanks.

cburgers Wed, 09/04/2013 - 19:27

Has anyone managed to find out why the cisco devices fail authorization when the mandatory custom attribute is enabled?

Justin said

"The problem I have though, is this fixes my login to work to my JunOS  devices, but it breaks the authentication to my Cisco IOS devices. The  AAA logs show that the authentication succeeded, but the router says  "authorization failed". Once I remove either the attribute from my shell  profile, or make it optional then the Cisco router works for auth, but  the JunOS device stops working (The username it tries to use is "remote"  instead of the user I am trying to authenticate with)."

I am currently having the same issue with ACS5.4.

Thanks,

Craig

justins@kinkos.com Thu, 09/05/2013 - 17:06

I was able to make it work using different device groups and shell profiles instead of trying to combine mulitiple together.

Is your issue with IOS devices or NXOS devices (role-based auth)

Justin

cburgers Thu, 09/05/2013 - 21:07

Thanks Justin,

I was hoping to use just one shell profile for both device groups. We have it working with seperate profiles, but would be less overhead with one!

I havn't tried NXOS yet, but I imagine it will be a similar story.

Craig

Actions

Login or Register to take actions

This Discussion

Posted August 10, 2011 at 3:30 AM
Stats:
Replies:7 Avg. Rating:5
Views:6094 Votes:0
Shares:0

Related Content

Discussions Leaderboard