Tuesday 9 June 2020

Tacacs (Authentication and Accounting) Configuration in Juniper


Tacacs/AAA/ISE Server: 192.168.10.222
Tacacs Password: tacpassword1
Router's Management IP: 192.168.0.4 (under mgmt_junos routing instance)

Assumption: There's an existing local account e.g. "user1" 
set system login user user1 class super-user
set system login user user1 authentication plain-text-password
(passwordhere)

1. Configure the tacacs server IP
set system tacplus-server 192.168.10.222 routing-instance mgmt_junos 
set system tacplus-server 192.168.10.222 secret tacpassword1
set system tacplus-server 192.168.10.222 single-connection
set system tacplus-server 192.168.10.222 source-address 192.168.0.4

2. Configure authentication order (if tacacs cannot authenticate, will ask for local access user1)
set system authentication-order tacplus
set system authentication-order password

3. Configure accounting:
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus server 192.168.10.222 secret tacpassword1
set system accounting destination tacplus server 192.168.10.222 single-connection
set system accounting destination tacplus server 192.168.10.222 source-address 192.168.0.4


Optional (Firewall settings)

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-prefix-list TACACS-SERVERS
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from protocol tcp
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-port tacacs
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then count TACACS-PERMIT
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then accept
set firewall policer tacacs-policer if-exceeding bandwidth-limit 1m
set firewall policer tacacs-policer if-exceeding burst-size-limit 10k
set firewall policer tacacs-policer then discard

set policy-options prefix-list TACACS-SERVERS apply-path "system tacplus-server <*>"
set policy-options prefix-list TACACS-SERVERS 192.168.10.222/32


Note:
If you happen to receive this message below, pls. do the following to fix.
Sample Log:
Sep  6 10:30:01.044 2020  SRX1-re0 sshd[5580]: %AUTH-3: User remote is authenticated successfully but no logical login-id configured.

Also, for you not to configure local accounts.
FIX:
Create a user account  that has no password, but class matching your tacacs (eg: super-user)

Configure:
set system login class super-user idle-timeout 10
set system login class super-user permissions all
set system login user user101 class super-user

No comments:

Post a Comment