Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuration Example: Juniper SSG/ISG and Cisco ACS v5.x

0

0

Article ID: KB23458 KB Last Updated: 19 Feb 2020Version: 4.0
Summary:

This article provides a configuration to authenticate SSG/ISG administrators by using TACACS+, instead of local login.

Symptoms:

Configuration to authenticate SSG/ISG administrators by using TACACS+, instead of local login.

Solution:

Network topology

[Juniper SSG/ISG firewall]----------[Cisco ACS VM]

ACS v5.x is a Linux-based VM with a completely new user interface and structure.

 

Configuration

Configure the Juniper firewall (CLI)

  • Add the Cisco ACS and TACACS+ configuration:
set auth-server CiscoACSv5 id 1
set auth-server CiscoACSv5 server-name 192.168.1.100
set auth-server CiscoACSv5 account-type admin
set auth-server CiscoACSv5 type tacacs
set auth-server CiscoACSv5 tacacs secret "$ABC123"
set auth-server CiscoACSv5 tacacs port 49
set admin auth server CiscoACSv5
set admin auth remote primary
set admin auth remote root
set admin privilege get-external
  • Via the WebUI:

Configuration -> Auth -> Auth Servers -> New

 


Configuration -> Admin -> Administrators


Configure the Cisco ACS v5.x (GUI)

  1. Go to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, and create the NetScreen Shell Profile:
     
    1. Click the Create button, located at the bottom of the page.

    2. Click the General tab, and type the following information:
       
      • Name: NetScreen

      • Description: Custom Attributes for NetScreen devices


      •  
    3. Click the Custom Attributes tab, and add the vsys attribute:
       
      • Attribute: vsys

      • Requirement: Mandatory

      • Value: See Attributes table below.

    4. Click the Add button, located above the Attribute field, and add the privilege attribute:
       
      • Attribute: privilege

      • Requirement: Mandatory

      • Value: See Attributes table below.

    5. Click the Add button, located above the Attribute field, then click the Submit button, located at the bottom of the page.

  2. Go to Access Policies > Access Services > Default Device Admin > Authorization and create the Juniper Authorization Policy and filter (by Device IP Address):
     
    1. Click the Customize button, located at the bottom right-hand side of the page.

    2. Under Customize Conditions, select Device IP Address from the left text box, and click the > button to add it.

    3. Click OK to close the window.

    4. Click the Create button, located at the bottom of the page, to create a new rule:
      • Under General, name the new rule as Juniper and ensure that it is enabled.

      • Under Conditions, select the checkbox next to Device IP Address, and type the IP address of the Juniper firewall (192.168.1.100)

      • Under Results, click the Select button, located next to the Shell Profile field, and select Juniper, and click OK.

      • Under Results, click the Select button, located below the Command Sets (if used) field, select Permit All, and ensure that all the other check boxes are clear.

      • Click OK to close the window.

    5. Click OK, located at the bottom of the page, to close the window.

    6. Select the checkbox next to the Juniper policy and then move it to the top of the list.

    7. Click Save Changes, located at the bottom of the page.


Verification

nsisg1000-> get admin auth
Id : 1 Auth Server : external
Type : TACACS Server Name/IP: 192.168.1.33
Backup1: Backup2 :
Idle Timeout: 10 Account Type : admin
Forced Timeout: 0 (Disabled)
Fail-over revert interval: Disabled
TACACS shared secret: $ABC123
TACACS server port: 49
TACACS retry timeout: 0
nsisg1000->

After a user is logged in via TACACS

nsisg1000-> get admin user login
No. Name       Vsys       Date       Time     Source  IP Addr         Auth Type
--- ---------- ---------- ---------- -------- ------- --------------- ---------

      1   test       Root       2001-07-12 09:22:27 telnet  192.168.1.33    tacacs >>>>>>>>>

2   netscreen  Root       2001-07-12 09:19:28 console 0.0.0.0         local

Debug commands that can be used for troubleshooting

  • debug admin all
  • debug auth all


Attributes table

When the netscreen service is defined, the attributes per user can be defined.

On the user configuration, scroll down to the bottom and select the netscreen (this is case-sensitive) Custom attributes check boxes. Then, specify the attributes in the custom attributes field.

The custom attributes that can be specified are identified below.

   Root  Root RW
 Root RO
 VSYS RW  VSYS RO
 vsys=  root  root  root  vsys-name  vsys-name
 privilege=  root  read-write  read-only  vsys-read-write  vsys-read-only
Modification History:
2020-02-19: minor non-technical updates.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search