Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

User login accounting logs on the EX Series Switch do not get logged on the Windows based Cisco ACS server

0

0

Article ID: KB15047 KB Last Updated: 02 Aug 2011Version: 2.0
Summary:
This article explains the configuration statements required on the EX Series Ethernet Switch required for authentication and accounting with the Windows based Cisco ACS Server.
Symptoms:
Authentication succeeds when using EX Series Switch with Windows based Cisco ACS server, however the accounting information does not get logged in the accounting log file on the Cisco ACS
Solution:
Cisco ACS server can be used for TACACS+  Authentication and accounting with the EX series etherent switches. Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a switch/router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.Like RADIUS, TACACS+ uses a client/server model, with the switch being the client. All transactions between the server and the client are authenticated by a shared secret. The JUNOS configuration for TACACS+ is almost identical to that for RADIUS. You set the IP address of your TACACS+ server and the password (secret) that the EX switch should use to access the server. The secrets on the EX switch and the server must match. For more information on the Cisco ACS server you may refer to www.cisco.com. For detailed information on configuring RADIUS and authentication mechanisms on the EX  you may refer to Knowledge base article KB15045 and KB15046. 

A.      Configuring the EX series switch to send TACACS+ Authentication requests to the Cisco ACS server.
  1. You may configure TACPLUS to be the primary user authentication method and  local password as the secondary method using the statement below:

root# set system authentication-order [ tacplus password ]
  1. You can configure the TACPLUS server in the following manner:
root# set system tacplus-server <ip-address> secret <secret>
root# set system tacplus-server <ip-address> source-address <EX-source-ipaddress>
  1. A remote template will need to be defined on the EX switch for remote users trying to log in via RADIUS/TACACS. These user accounts are not defined locally on the EX. Please ensure that the following configuration snippet is included in the EX configuration:
root# set system login user remote class <class>
root# commit

NOTE: where <class> is a well defined login class with specific permissions on the EX. The defined classes with their permissions are:

operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]

NOTE: User login will fail if the remote template displayed above is not configured on the EX series switch

  1. In order for the Accounting information from the EX series switch to get logged into the Windows based Cisco ACS server, the TACPLUS messages must NOT include the  "cmd"  attribute. This needs to be configured on the EX switch using the following statements:
root# set tacplus-options exclude-cmd-attribute

B.      Configuring the EX series switch to send accounting information to the Windows based Cisco ACS server
  1. The TACACS+ accounting service enables you to create an audit trail of command-line interface (CLI) commands that have been executed within these sessions. For example, you can track user CLI connects and disconnects, when configuration modes have been entered and exited, and which configuration and operational commands have been executed. Such Login attempts and configuration changes made by users on the EX switch can be sent to the Cisco ACS accounting logs. The following configuration statement is required to accomplish this:
root# set system accounting events [login interactive-commands]
  1. Configure the TACPLUS accounting server and the secret (apssword) using the following configuration statements.  After you type the secret in the switch configuration, the CLI never displays it but shows it in a pseudoencrypted format.
root# set system accounting destination tacplus server 10.3.217.120 secret <secret>


NOTE: The TACPLUS accounting server <secret> must be configured under the accounting stanza. If this is not configured, the accounting information will NOT be logged into the accounting file of the Windows based Cisco ACS server.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search