Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+ Authentication

Hi,

I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:

ervice = netscreen {
vsys = root
privilege = read-write
}

I know how to add this to a version v4.x ACS

v4.x ACS.JPG

However, I do not know how to apply this to the custom attribiutes to a v5.x ACS

v5.x ACS.JPG

Do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

Any advice please

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

7 REPLIES
New Member

Re: ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TAC

Good question, I'd like to know this as well for the netscreens. For junos, this is how I tried to do it (you would drop the "netscreen" from yours, but not sure if you would add both as mandatory)

Acs4.x setup

junos-exec

  local-user-name=readonly

acs5.2 setup

attribute -  local-user-name

value - readonly

mandatory

# junos config

       }

    login {

        class admin {

            idle-timeout 30;

            permissions all;

        }

        class read-only {

            idle-timeout 30;

            permissions [ view view-configuration ];

        }                              

        user admin {                                 

            class admin;                 

        }                              

        user readonly {                                 

            class read-only;  

The problem I have though, is this fixes my login to work to my JunOS devices, but it breaks the authentication to my Cisco IOS devices. The AAA logs show that the authentication succeeded, but the router says "authorization failed". Once I remove either the attribute from my shell profile, or make it optional then the Cisco router works for auth, but the JunOS device stops working (The username it tries to use is "remote" instead of the user I am trying to authenticate with).

New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

Making different device groups and shell profiles mapped to different authorization profiles fixed my problem BTW.

Here is the setup I did for Juniper. I will try the netscreen one (last picture) later today/tomorrow

New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

Bingo! Thank you very much Justin - I still had the privilege levels set to 15 but when I removed them but kept in the new attributes it logged in fine.

New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

Hi, I was looking for some help on configuring a Juniper FW on my Cisco ACS v4.0 and I found you guys. Can you tell me which would be the best way to do that or where can I find good documentaction about it?

Thanks.

New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

Has anyone managed to find out why the cisco devices fail authorization when the mandatory custom attribute is enabled?

Justin said

"The problem I have though, is this fixes my login to work to my JunOS  devices, but it breaks the authentication to my Cisco IOS devices. The  AAA logs show that the authentication succeeded, but the router says  "authorization failed". Once I remove either the attribute from my shell  profile, or make it optional then the Cisco router works for auth, but  the JunOS device stops working (The username it tries to use is "remote"  instead of the user I am trying to authenticate with)."

I am currently having the same issue with ACS5.4.

Thanks,

Craig

New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

I was able to make it work using different device groups and shell profiles instead of trying to combine mulitiple together.

Is your issue with IOS devices or NXOS devices (role-based auth)

Justin

New Member

ACS 5.2 - Adding Custom Attributes for Juniper Netscreen TACACS+

Thanks Justin,

I was hoping to use just one shell profile for both device groups. We have it working with seperate profiles, but would be less overhead with one!

I havn't tried NXOS yet, but I imagine it will be a similar story.

Craig

8613
Views
0
Helpful
7
Replies