I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1 set auth-server CiscoACSv5 server-name 192.168.1.100 set auth-server CiscoACSv5 account-type admin set auth-server CiscoACSv5 type tacacs set auth-server CiscoACSv5 tacacs secret CiscoACSv5 set auth-server CiscoACSv5 tacacs port 49 set admin auth server CiscoACSv5 set admin auth remote primary set admin auth remote root set admin privilege get-external
Configure the Cisco ACS v5.x (GUI) 1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles Create the Juniper Shell Profile. Click the [Create] button at the bottom of the page Select the General tab Name: Juniper Description: Custom Attributes for Juniper SSG320M Select the Custom Attributes tab
Add the vsys attribute: Attribute: vsys Requirement: Manadatory Value: root Click the [Add^] button above the Attribute field
Note: you can also use 'read-write' but then local admin doesn't work correctly Click the [Add^] button above the Attribute field Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization Create the Juniper Authorization Policy and filter by Device IP Address. Click the [Customize] button at the bottom Right of the page Under Customize Conditions, select Device IP Address from the left window Click the [>] button to add it Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule Under General, name the new rule Juniper, and ensure it is Enabled Under Conditions, check the box next to Device IP Address Enter the ip address of the Juniper (192.168.1.100) Under Results, click the [Select] button next to the Shell Profile field Select 'Juniper' and click the [OK] button Under Results, click the [Select] button below the Command Sets (if used) field Select 'Permit All' and ensure all other boxes are UNCHECKED Click the [OK] button to close the window Click the [OK] button at the bottom of the page to close the window Check the box next to the Juniper policy, then move the policy to the top of the list Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :