Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure TACACS+ authentication on J-Series and SRX platforms

0

0

Article ID: KB17269 KB Last Updated: 08 Jan 2013Version: 3.0
Summary:

This article provides information on how to set up the J-Series and SRX platforms to use TACACS+ authentication.

Symptoms:
Assuming that the TACACS+ authentication server is already deployed, the process is divided into three steps:

  1. Configure the TACACS+ authentication on the J/SRX device.

  2. Create a local user template for TACACS+ authenticated users to inherit the privileges from.

  3. Map the local user template to the TACACS+ user accounts (optional).
Cause:

Solution:

Configure the TACACS+ authentication on the J/SRX device:

  1. Gather the details of the TACACS+ authentication server (such as the IP address, port number, and key) and configure the J/SRX device to connect to it. For example, here is the command, which is required in the CLI configuration mode, to connect to a TACACS+ server with the IP address of 10.3.202.129 and secret of juniper:
    set system tacplus-server 10.3.202.129 secret juniper

    Note: For more options, such as specifying port number, source address, and so on, refer to the following link:

    http://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/tacacs-authentication-configuring.html


  2. Change the authentication order of the J/SRX device to use TACACS+ first:
    set system authentication order [tacplus password]

Create a local user template for the TACACS+ authenticated users to inherit the privileges from:

When you are using TACACS+ authentication, you can create single accounts for authorization purposes, which are shared by a set of users. You can create these accounts by using the remote and local user template accounts. When a user is using a template account, the command-line interface (CLI) username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account.

A remote user template is defined by the remote user name under [system login]. A local user template can be of any name. The difference between a normal user account and a user template on the J/SRX device is that the user template does not have a password specified. By default, Junos OS uses remote template accounts for user authorization when:

  • The authenticated user does not exist locally on the router or switch.

  • The authenticated user’s record in the authentication server specifies local user; but it does not exist locally on the router or switch.

To configure the remote template account, include the user remote statement at the [edit system login] hierarchy level and specify the privileges, which you want to grant to remote users:
[edit system login]
user remote {
    full-name "All remote users";
    uid uid-value;
    class class-name;
}
For example, to create the default remote account that maps to TACACS+ authenticated users and assign them to the operator class, type the following line in the configuration:
set system login user remote full-name "All remote users" uid 2012 class operator


Map the local user template to the TACACS+ user accounts (optional):

If you want to have more granularity for the privileges allowed for different subsets of TACACS+ users, you can define different local user templates on the J/SRX device and configure the TACACS+ server to return the vendor-specific attribute (local-user-name) with the matching user template name. For example, you want to have two user templates, one for super-use privileges and the other for view-only, you can specify this in the configuration:
set system login user remote-super-users full-name "User template for remote super-users" uid 2013 class super-user
set system login user remote-read-only full-name "User template for remote read-only" uid 2014 class read-only
On the TACACS+ side, for example, you want to give user alice super-user privileges and bob read-only privileges, the TACACS+ configuration would look similar to the following one:
user = alice {
    login = cleartext alice's_password
    service = junos-exec {
        local-user-name = remote-super-user

    }
}

user = bob {
    login = cleartext bob's_password
    service = junos-exec {
        local-user-name = remote-read-only

    }
}

Example:

The following snipped is from the TACACS+ authentication configuration on both the J/SRX device and the TACACS+ server. It highlights the differences between the remote and local user template and how they relate to each other:

J/SRX  Configuration:

# Authentication order with TACACS+ first and the server details
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server 10.3.202.129 secret mysecret

# Remote user template mapped to pre-defined "operator" class
set system login user remote full-name "Default remote user template"
set system login user remote uid 100
set system login user remote class operator

# Local user template mapped to pre-defined "super-user" class
set system login user remote-su full-name "Remote users with super-user privileges"
set system login user remote-su uid 101
set system login user remote-su class super-user


TACACS+ Configuration:

# Secret used between the J/SRX device and TACACS+
key = mysecret

# User alice is configured to inherit the default remote user template
# Therefore, the "local-user-name" attribute is not needed here
user = alice {
        login = cleartext alice's_password
}
# bob is set to inherit super-user privileges on the J/SRX device and is therefore mapped to the remote-su user template
user = bob {
        login = cleartext bob's_password
        service = junos-exec {
               local-user-name = remote-su
        }
}


Example of CLI authorization which uses the above configuration:

alice@srx> show cli authorization
Current user: 'remote' login: 'alice' class 'operator'
Permissions:
    clear       -- Can clear learned network info
    network     -- Can access the network
    reset       -- Can reset/restart interfaces and daemons
    trace       -- Can view trace file settings
    view        -- Can view current values and statistics
Individual command authorization:
    Allow regular expression: none
    Deny regular expression: none
    Allow configuration regular expression: none
    Deny configuration regular expression: none


bob@srx> show cli authorization
Current user: 'remote-su' login: 'bob' class 'super-user'
Permissions:
    admin       -- Can view user accounts
    admin-control-- Can modify user accounts
    clear       -- Can clear learned network info
    configure   -- Can enter configuration mode
    control     -- Can modify any config
    edit        -- Can edit full files
    field       -- Can use field debug commands
    floppy      -- Can read and write the floppy
    interface   -- Can view interface configuration
    interface-control-- Can modify interface configuration
For more information, refer to the following links:

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search