Cisco ACS 5.1 Tacacs with Juniper Srx 210

Unanswered Question
Mar 14th, 2012
User Badges:

Hi all,

I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..

Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nicolas Darchis Thu, 03/15/2012 - 00:54
User Badges:
  • Cisco Employee,

You don't need to add Junos service in ACS 5.x this was only required in the days of acs 4.x

For the rest, it should be documented by Juniper. If you have the list of attributes that they require, then we can help.


Pranav Gade Mon, 03/19/2012 - 07:38
User Badges:

Hi Nicolas,

Thanks for your reply .. I have gonna across all KB in Juniper but unable to find attributes that require for Juniper SRX 210 which need to configured in ACS 5.1 can you help me to find that attributes for the same...



Nicolas Darchis Mon, 03/19/2012 - 10:11
User Badges:
  • Cisco Employee,

No since I don't have any experience with that Juniper product.

Maybe someone else in this forum has ...

But it's still normally up to Juniper to mention this in their doc :-)

Eduardo Aliaga Mon, 03/19/2012 - 14:20
User Badges:
  • Silver, 250 points or more

Hello Pranav

As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here

You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.

This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".

If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.

Please rate if it helps. Kind regards

Pranav Gade Mon, 03/19/2012 - 21:27
User Badges:

Hello  eduardoaliaga

Thanks for your reply...We have to use ACS 5.1 users only for authentication in Juniper Srx 210...

So the attribute which you have mentioned above will fulfill the requirement or we need to add any more attribute for Juniper SRX 210 in Cisco ACS 5.1


Marlon Malinao Thu, 09/20/2012 - 07:00
User Badges:


this one works accessing juniper via ssh.  bu how about if u want to manage it via https or web gui? for my setup its not working logging in to the Web GUI tacacs account doesnt work only the local account can login.

can you advice any addtional configuration needed?


Anim Saxena Fri, 09/21/2012 - 00:48
User Badges:
  • Silver, 250 points or more

Hi Pranav,

I am posting some commands which may be of some interest for you.

Have a look at them and then decide your course of action.

#####TACACS config at Juniper SRX 210####

set system authentication-order tacplus

set system authentication-order password

set system tacplus-server tac-serv-ip secret "key"     /* secret key configured on the server*/

set system tacplus-server tac-serv-ip source-address "source-interface-ip-on-srx"

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting destination tacplus

set system login user remote full-name "Tacacs+ template for remote access"

set system login user remote class super-user

###  Do create fall back user(s) locally on the srx for events when tacacs server isnt accesible###

Thanx and Regards

Anim Saxena

*Rate helpful posts*


This Discussion