We're using Cisco ACS 4.0 to "AAA" our users on both, Cisco routers and switches and Juniper devices. TACACS+'s working fine so far, but is causing some trouble with the configuration for Juniper devices.
To use TACACS+ with Juniper devices we made the following changes:
In "System Configuration" -> "TACACS+ (Cisco IOS)" we add a "New Service" in user and group called "junos-exec". We put the following attributes to "junos-exec" by editing the new service in group settings under "TACACS+ Settings":
allow-commands=(show route protocol direct)|(show in.)|ping|exit|quit|(show arp)|(show ve.)|(show ch.)|(show system up.)
This works fine.
But if we add more commands to "allow-commands" the character-limit seems to be reached.
The TCS-Log (<prog-path>\CiscoSecure ACS v4.0\CSTacacs\Logs) shows:
TCS 18/12/2006 15:42:49 I 0040 0216 arg size=28 =local-user-name=read-network
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...