×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 5.2, TACACS and Junos authorization

Unanswered Question
Mar 5th, 2012
User Badges:

I can get it to authenticate.  But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.

I want to control down to what commands the authenticated user can run.  I want the defintion to come from

the ACS server, or at least control it from the ACS server.  I want to minimize the changes on the JunOS side,

but if it can't be easily done, I'll change the JunOS side.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eugene.tsuno Wed, 03/07/2012 - 11:29
User Badges:

Well, I got something to work.  I let TACACS do the authentication, I changed the remote user to

be readonly/tier1.  Then I have to create an account for each admin that is tier3/readwrite.


Not pretty, but it works.


There must be a more elegant solution?

kashifkhawaja Thu, 01/31/2013 - 15:12
User Badges:

Derek,

I'm not an expert in Juniper AAA so if would please indulge me. I'm thinking three groups FullAccess, RO, and LimitedAccess. There will be many many users in each group. Does this mean that not only do I have to create these three classes but I also have to create ALL the user accounts on each JunOS device as well? I'd like to be able to use the ACS user identity database instead (so that I one central repository for accounts info).

Thanks!

Marlon Malinao Mon, 08/06/2012 - 08:42
User Badges:

Hi Eugene,


Do you still remember how to do use the"remote" template and getting the authorization from ACS 5.2?



marlon

eugene.tsuno Mon, 08/06/2012 - 09:45
User Badges:

I gave up.  The example screenshots were of 4.2 and I tried to get that to work with no luck.


It would be nice to give people the correct tier from TACACS, but i have a workaround. 

Tarik Admani Mon, 08/06/2012 - 10:41
User Badges:
  • Green, 3000 points or more

If you still need help, please share what you attempted so i can take a look.


Thanks,



Tarik Admani
*Please rate helpful posts*

Marlon Malinao Mon, 08/06/2012 - 16:56
User Badges:

Hi Tarik,


I have ACS 5.2 and JUNOS 10.6.x  I setup 2  classes eng-class and ops-class  with read/write and read-only permission


here is my configuration on JUNOS


set system login class eng-class idle-timeout 15

set system login class eng-class permissions all

set system login user engineer full-name “Regional Engineering”

set system login user engineer uid 2001

set system login user engineer class eng-class

set system login user engineer authentication plain-text-password xxxxxxx


set system login class ops-class idle-timeout 15

set system login class ops-class permissions view view-configuration

set system login user operator full-name “Regional Operations”

set system login user operator uid 2002

set system login user operator class ops-class

set system login user operator authentication plain-text-password xxxxxxx


set system authentication-order tacplus password


set system tacplus-options no-cmd-attribute-value

set system tacplus-options service-name junos-fwr-exec  -------------------> is this command still needed in ACS 5.2?


set system tacplus-server xxxx.xxx.xxx.xxx secret xxxxxxxx

set system tacplus-server xxx.xxx.xxx.xxx timeout 5

set system tacplus-server xxx.xxx.xxx.xxx source-address xxx.xxx.xxx. - can i use fxpo out-of-band mgmt IP?


set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting destination tacplus server xxx.xxx.xxx.xxx secret xxxxxxx

set system accounting destination tacplus server xxxx.xxx.xxx.xxx timeout 5


ACS   5.2


shell profile


junos-eng

attribute=local-user-name

value=engineer


junos-ops

attribute=local-user-name

value=operator


I saw some implementation they only using one template i.e "remote' user template with permission all, then the authorization was inherited from ACS whether to have a read-only or read write access.  is this a better implementation?  Can you show how to do it in JUNOS and ACS 5.2?


thanks.

Tarik Admani Mon, 08/06/2012 - 17:27
User Badges:
  • Green, 3000 points or more

Marlon,


I do not have a template for you to use, I was providing assistance on the ACS side. Based on your last questions, the approach looks like a good approach.



Tarik Admani
*Please rate helpful posts*

eugene.tsuno Tue, 08/07/2012 - 09:22
User Badges:

You don't need to do one or other.  The remote clause is the default if no tier is assigned.


In our case, we specify the readonly cases explicitly, since it changes less frequently, and allow our admins readwrite

by default via remote.  That way, we don't have to add admins on each router when they come on board.  Of course

we still authenticate via TACACS in either case, we don't have local passwords except for our emergency ones.


Yeah, I really tried that 4.2 link and translate it to 5.2 to get it to map users to tiers, but I had a limited time

window to work on it.  The solution to specify the readonly accounts explictily and readwrite implicitly suited

our needs.

Marlon Malinao Tue, 08/07/2012 - 22:40
User Badges:

Thanks Eugene, Tarik,


I have implemented this, but below are the results.


1.  i can manage to login that belong to engineer account read-write.

2.  i cant login using accounts thet belong to operator read-only.

3.  Also for Juniper Web management interface, tacacs is not working.


do you have any idea?


marlon

Actions

This Discussion