cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4548
Views
0
Helpful
29
Replies

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Not applicable

Tacacs  Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.

set auth-server TACACS+ id 1

set auth-server TACACS+ server-name 10.10.xx.yy

set auth-server TACACS+ account-type admin

set auth-server TACACS+ type tacacs

set auth-server TACACS+ tacacs secret xxxx

set auth-server TACACS+ tacacs port 49

set admin auth server TACACS+

set admin auth remote primary

set admin auth remote root

set admin privilege get-external set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

Please Advice

29 Replies 29

Jatin Katyal
Cisco Employee
Cisco Employee

Could you please post the screen shot of attributes you've defined under:

Policy Elements  > Authorization and Permissions  > Device  Administration > Shell Profiles > Edit the profile >  custom attributes

Also, you may go through this:

https://supportforums.cisco.com/message/3954494#3954494

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

By the way link:

https://supportforums.cisco.com/message/3954494#3954494

For SRX not Screen OS.

Not applicable

Below screen shot for Authentication and Authorization on ACS:

Not applicable

Any upgates, ideas .......

Since, ACS shows passed authentication and authorization. We should now look at the packet capture to see TACACS+ Query and Response to further investigate this issue. I worked with a CSC member few weeks ago where we found that Juniper in authorization QUERY only sending Arg[0] value: service=shell and didn't send "cmd=" arg. This is known issue with Juniper device so we ended up upgrading the device to WX OS 5.7.7 (WXC-3400). You may want to look at the same discussion: https://supportforums.cisco.com/thread/2215574

.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

I went through https://supportforums.cisco.com/thread/2215574 which is for WXC-3400 wan optmaization, the Juniper device I am using is SSG5 firewall Firmware Version:6.2.0r5.0 which support T+, as per the link should I upgrade the exisiting IOS or there is a solution ?

Can you first provide the packet capture b/w the Juniper and ACS (along with tacacs+ key).

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

please find below:

Not applicable

Any updates !!!

Could you please attach the pcap file with tacacs shared secret key.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Please find below:

We too, have Juniper firewalls running ScreenOS.

In our ACS Shell Profile, the Privilege value is set to "root" instead of "read-write", which seems to work for us.

Perhaps you can give that a try?

Not applicable

I try the same, but it dose not work, however I upgrade the firewall frimware today to the latest version, nothing changes. I appreciate if you share me your firewall + ACS configurations.

You can send me the packet capture file, tacacs key that you have defined on Juniper and ACS and ip address in private.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: