Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Tacacs  Authentication and Authorization were passed on ACS5.3, but Entering username and password in the security device (Juniper SSG5) gives Access denied, attached is Tacacs cfg.

set auth-server TACACS+ id 1

set auth-server TACACS+ server-name 10.10.xx.yy

set auth-server TACACS+ account-type admin

set auth-server TACACS+ type tacacs

set auth-server TACACS+ tacacs secret xxxx

set auth-server TACACS+ tacacs port 49

set admin auth server TACACS+

set admin auth remote primary

set admin auth remote root

set admin privilege get-external set auth-server TACACS+ id 1
set auth-server TACACS+ server-name 10.10.xx.yy
set auth-server TACACS+ account-type admin
set auth-server TACACS+ type tacacs
set auth-server TACACS+ tacacs secret xxxx
set auth-server TACACS+ tacacs port 49
set admin auth server TACACS+
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

Please Advice

29 REPLIES
Cisco Employee

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Could you please post the screen shot of attributes you've defined under:

Policy Elements  > Authorization and Permissions  > Device  Administration > Shell Profiles > Edit the profile >  custom attributes

Also, you may go through this:

https://supportforums.cisco.com/message/3954494#3954494

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

By the way link:

https://supportforums.cisco.com/message/3954494#3954494

For SRX not Screen OS.

Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Below screen shot for Authentication and Authorization on ACS:

Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Any upgates, ideas .......

Cisco Employee

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Since, ACS shows passed authentication and authorization. We should now look at the packet capture to see TACACS+ Query and Response to further investigate this issue. I worked with a CSC member few weeks ago where we found that Juniper in authorization QUERY only sending Arg[0] value: service=shell and didn't send "cmd=" arg. This is known issue with Juniper device so we ended up upgrading the device to WX OS 5.7.7 (WXC-3400). You may want to look at the same discussion: https://supportforums.cisco.com/thread/2215574

.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

I went through https://supportforums.cisco.com/thread/2215574 which is for WXC-3400 wan optmaization, the Juniper device I am using is SSG5 firewall Firmware Version:6.2.0r5.0 which support T+, as per the link should I upgrade the exisiting IOS or there is a solution ?

Cisco Employee

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Can you first provide the packet capture b/w the Juniper and ACS (along with tacacs+ key).

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

please find below:

Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Any updates !!!

Cisco Employee

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Could you please attach the pcap file with tacacs shared secret key.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Please find below:

Community Member

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

We too, have Juniper firewalls running ScreenOS.

In our ACS Shell Profile, the Privilege value is set to "root" instead of "read-write", which seems to work for us.

Perhaps you can give that a try?

Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

I try the same, but it dose not work, however I upgrade the firewall frimware today to the latest version, nothing changes. I appreciate if you share me your firewall + ACS configurations.

Cisco Employee

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

You can send me the packet capture file, tacacs key that you have defined on Juniper and ACS and ip address in private.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Paket capture is already attached, I am using the same key in ACS and the firewall, the firewall IP:10.10.218.17 ACS IP: 10.10.36.37

Cisco Employee

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

I guess you have posted a screen shot. I am looking forward to have the file that can be downloaded for analysis.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

There is no option to attched .pcap file, so I try to post the screen shot.

Cisco Employee

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

When you hit reply next time, you'll see an option "advanced editor" click on that, at bottom you will then see an option to browse and attach file.          

~BR

Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Please find attached pcap file.

Cisco Employee

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Tacacs shared secret key?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Tacacs shared secret key is bsfkey9

Cisco Employee

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

where did you exactly take the captures? I don't see any packets destined to ACS. You may span the switch port where juniper firewall is connected.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

I connected remotely to the Juniper firewall, get captured using Wireshark software from my office PC.

Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Is this way to capture the packets is right or not please advice.

Cisco Employee

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

No, you need to apply span on the switch port  where Juniper firewall interface is connected on switch to capture traffic unless there is an inbuilt feature in juniper to take tcpdump.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

We can also take captures from the ACS however that needs root access to linux bash shell. The one take from ACS CLI doesn't provide much info.

In case this issue is urgent and you need quick fix, I'd suggest a TAC case else we can troubleshoot here.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

  I have root access for the ACS, i can captures from the ACS even this way doesn't provide much info.but it can lead to a solution, please send me the steps to use this capture.

Anonymous
N/A

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

When I try to configure monitor session command on C6509 sitch I got error message: % local session limit has been exceeded. How to resolve this?

Community Member

Re: Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

You can have max. of 2 SPAN sessions per Cisco device.

You'll need to remove one of the existing sessions to set up a new one.

Community Member

Tacacs+ Authentication on Juniper Screen OS using ACS 5.3

Here's our ScreenOS config:

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth-server "“tacacs1_2”" id 1

set auth-server "“tacacs1_2”" server-name "172.19.x.y"

set auth-server "“tacacs1_2”" account-type admin

set auth-server "“tacacs1_2”" timeout 0

set auth-server "“tacacs1_2”" fail-over revert-interval 1

set auth-server "“tacacs1_2”" type tacacs

set auth-server "“tacacs1_2”" tacacs secret "removed"

set auth-server "“tacacs1_2”" tacacs port 49

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "removed"

set admin password "removed"

set admin access lock-on-failure 30

set admin auth web timeout 10

set admin auth server "“tacacs1_2”"

set admin auth banner telnet login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth banner console login "*** ACCESS IS RESTRICTED TO AUTHORIZED EDMC PERSONNEL ONLY ***"

set admin auth remote root

set admin privilege get-external

set admin format dos

=============================

Not  sure how to share our ACS config...but under Policy Elements >  Authorization and Permissions > Device Administration > Shell  Profiles >, we have all the "Common Tasks" set to "not in use", and  "Custom Attributes" are set to:

vsys, mandatory, root

privilege, mandatory, root

2573
Views
0
Helpful
29
Replies
CreatePlease to create content