cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8439
Views
0
Helpful
8
Replies

Cisco ACS 5.1 Tacacs with Juniper Srx 210

Pranav Gade
Level 1
Level 1

Hi all,

I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..

Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

8 Replies 8

Nicolas Darchis
Cisco Employee
Cisco Employee

You don't need to add Junos service in ACS 5.x this was only required in the days of acs 4.x

For the rest, it should be documented by Juniper. If you have the list of attributes that they require, then we can help.

Nico

Hi Nicolas,

Thanks for your reply .. I have gonna across all KB in Juniper but unable to find attributes that require for Juniper SRX 210 which need to configured in ACS 5.1 can you help me to find that attributes for the same...

Thanks,

Pranav

No since I don't have any experience with that Juniper product.

Maybe someone else in this forum has ...

But it's still normally up to Juniper to mention this in their doc :-)

Hello Pranav

As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466

You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.

This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".

If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.

Please rate if it helps. Kind regards

Hello  eduardoaliaga

Thanks for your reply...We have to use ACS 5.1 users only for authentication in Juniper Srx 210...

So the attribute which you have mentioned above will fulfill the requirement or we need to add any more attribute for Juniper SRX 210 in Cisco ACS 5.1

Pranav

Hi,

this one works accessing juniper via ssh.  bu how about if u want to manage it via https or web gui? for my setup its not working logging in to the Web GUI tacacs account doesnt work only the local account can login.

can you advice any addtional configuration needed?

marlon

Hi Pranav,

I am posting some commands which may be of some interest for you.

Have a look at them and then decide your course of action.

#####TACACS config at Juniper SRX 210####

set system authentication-order tacplus

set system authentication-order password

set system tacplus-server tac-serv-ip secret "key"     /* secret key configured on the server*/

set system tacplus-server tac-serv-ip source-address "source-interface-ip-on-srx"

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting destination tacplus

set system login user remote full-name "Tacacs+ template for remote access"

set system login user remote class super-user

###  Do create fall back user(s) locally on the srx for events when tacacs server isnt accesible###

Thanx and Regards

Anim Saxena

*Rate helpful posts*

Peter Long
Level 1
Level 1

I know this is an old post, but I've been struggling with this recently and now I've got it cracked. Heres how to set it up.

JunOS - Using TACACS+ With Cisco ACS

 

Pete

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: