Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Answered Question
Jun 30th, 2013
User Badges:

Tacacs  Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.


set auth-server TACACS+ id 1

set auth-server TACACS+ server-name 10.10.xx.yy

set auth-server TACACS+ account-type admin

set auth-server TACACS+ type tacacs

set auth-server TACACS+ tacacs secret xxxx

set auth-server TACACS+ tacacs port 49

set admin auth server TACACS+

set admin auth remote primary

set admin auth remote root

set admin privilege get-external set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external


Please Advice

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Sun, 06/30/2013 - 06:06
User Badges:
  • Cisco Employee,

Could you please post the screen shot of attributes you've defined under:


Policy Elements  > Authorization and Permissions  > Device  Administration > Shell Profiles > Edit the profile >  custom attributes


Also, you may go through this:

https://supportforums.cisco.com/message/3954494#3954494


~BR
Jatin Katyal

**Do rate helpful posts**

ccie29592 Mon, 07/01/2013 - 01:01
User Badges:

Below screen shot for Authentication and Authorization on ACS:


Jatin Katyal Tue, 07/02/2013 - 02:16
User Badges:
  • Cisco Employee,

Since, ACS shows passed authentication and authorization. We should now look at the packet capture to see TACACS+ Query and Response to further investigate this issue. I worked with a CSC member few weeks ago where we found that Juniper in authorization QUERY only sending Arg[0] value: service=shell and didn't send "cmd=" arg. This is known issue with Juniper device so we ended up upgrading the device to WX OS 5.7.7 (WXC-3400). You may want to look at the same discussion: https://supportforums.cisco.com/thread/2215574

.

~BR
Jatin Katyal

**Do rate helpful posts**

Jatin Katyal Tue, 07/02/2013 - 07:49
User Badges:
  • Cisco Employee,

Can you first provide the packet capture b/w the Juniper and ACS (along with tacacs+ key).



~BR
Jatin Katyal

**Do rate helpful posts**

Jatin Katyal Thu, 07/04/2013 - 04:21
User Badges:
  • Cisco Employee,

Could you please attach the pcap file with tacacs shared secret key.



~BR
Jatin Katyal

**Do rate helpful posts**

huangedmc Thu, 07/04/2013 - 08:25
User Badges:

We too, have Juniper firewalls running ScreenOS.

In our ACS Shell Profile, the Privilege value is set to "root" instead of "read-write", which seems to work for us.

Perhaps you can give that a try?

ccie29592 Thu, 07/04/2013 - 12:30
User Badges:

I try the same, but it dose not work, however I upgrade the firewall frimware today to the latest version, nothing changes. I appreciate if you share me your firewall + ACS configurations.

Jatin Katyal Thu, 07/04/2013 - 13:12
User Badges:
  • Cisco Employee,

You can send me the packet capture file, tacacs key that you have defined on Juniper and ACS and ip address in private.



~BR
Jatin Katyal

**Do rate helpful posts**

ccie29592 Thu, 07/04/2013 - 13:24
User Badges:

Paket capture is already attached, I am using the same key in ACS and the firewall, the firewall IP:10.10.218.17 ACS IP: 10.10.36.37

huangedmc Mon, 07/08/2013 - 09:45
User Badges:

Here's our ScreenOS config:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth-server "“tacacs1_2”" id 1

set auth-server "“tacacs1_2”" server-name "172.19.x.y"

set auth-server "“tacacs1_2”" account-type admin

set auth-server "“tacacs1_2”" timeout 0

set auth-server "“tacacs1_2”" fail-over revert-interval 1

set auth-server "“tacacs1_2”" type tacacs

set auth-server "“tacacs1_2”" tacacs secret "removed"

set auth-server "“tacacs1_2”" tacacs port 49

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "removed"

set admin password "removed"

set admin access lock-on-failure 30

set admin auth web timeout 10

set admin auth server "“tacacs1_2”"

set admin auth banner telnet login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth banner console login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth remote root

set admin privilege get-external

set admin format dos

=============================

Not  sure how to share our ACS config...but under Policy Elements >  Authorization and Permissions > Device Administration > Shell  Profiles >, we have all the "Common Tasks" set to "not in use", and  "Custom Attributes" are set to:

vsys, mandatory, root

privilege, mandatory, root

Correct Answer
Jatin Katyal Thu, 07/04/2013 - 13:28
User Badges:
  • Cisco Employee,

I guess you have posted a screen shot. I am looking forward to have the file that can be downloaded for analysis.



~BR
Jatin Katyal

**Do rate helpful posts**

ccie29592 Thu, 07/04/2013 - 13:34
User Badges:

There is no option to attched .pcap file, so I try to post the screen shot.

Jatin Katyal Thu, 07/04/2013 - 13:40
User Badges:
  • Cisco Employee,

When you hit reply next time, you'll see an option "advanced editor" click on that, at bottom you will then see an option to browse and attach file.          


~BR

Jatin Katyal


**Do rate helpful posts**

Jatin Katyal Sat, 07/06/2013 - 23:54
User Badges:
  • Cisco Employee,

Tacacs shared secret key?



~BR
Jatin Katyal

**Do rate helpful posts**

Jatin Katyal Sun, 07/07/2013 - 07:03
User Badges:
  • Cisco Employee,

where did you exactly take the captures? I don't see any packets destined to ACS. You may span the switch port where juniper firewall is connected.



~BR
Jatin Katyal

**Do rate helpful posts**

ccie29592 Sun, 07/07/2013 - 07:42
User Badges:

I connected remotely to the Juniper firewall, get captured using Wireshark software from my office PC.

ccie29592 Sun, 07/07/2013 - 22:56
User Badges:

Is this way to capture the packets is right or not please advice.

Jatin Katyal Sun, 07/07/2013 - 23:06
User Badges:
  • Cisco Employee,

No, you need to apply span on the switch port  where Juniper firewall interface is connected on switch to capture traffic unless there is an inbuilt feature in juniper to take tcpdump.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml


We can also take captures from the ACS however that needs root access to linux bash shell. The one take from ACS CLI doesn't provide much info.


In case this issue is urgent and you need quick fix, I'd suggest a TAC case else we can troubleshoot here.


~BR
Jatin Katyal

**Do rate helpful posts**

ccie29592 Mon, 07/08/2013 - 05:30
User Badges:

  I have root access for the ACS, i can captures from the ACS even this way doesn't provide much info.but it can lead to a solution, please send me the steps to use this capture.

ccie29592 Mon, 07/08/2013 - 07:45
User Badges:

When I try to configure monitor session command on C6509 sitch I got error message: % local session limit has been exceeded. How to resolve this?

huangedmc Mon, 07/08/2013 - 09:48
User Badges:

You can have max. of 2 SPAN sessions per Cisco device.

You'll need to remove one of the existing sessions to set up a new one.

Actions

This Discussion