TACACS (AAA) Configuration in Juniper

Configuring Juniper to authenticate (also including authorization and accounting) to Tacacs+ server

10.10.10.10 – Tacacs+ AAA server
20.20.20.2 –  Loopback IP

Juniper:

system {
host-name JUNIPER-ROUTER1;
}
authentication-order [ tacplus password ];
root-authentication {
encrypted-password “$r00tp44sw0rdh3r3/1”; ## SECRET-DATA
}
tacplus-server {
10.10.10.10 {
secret “$4ut0g3n3r4t3t4c4c5p455w0rd1”; ## SECRET-DATA
single-connection;
source-address 20.20.20.2;
}
}
accounting {
events interactive-commands;
destination {
tacplus {
server {
10.10.10.10 {
secret “$4ut0g3n3r4t3t4c4c5p455w0rd2”; ## SECRET-DATA
single-connection;
source-address 20.20.20.2;
}
}

firewall {
family inet {
filter FIREWALL-RE {
/* TRUSTED TACACS */
term TACACS-ACL {
from {
source-address {
10.10.10.10/32;

}
protocol tcp;
port tacacs;
}
then {
count TACACS-ACL;
accept;
}
}

In set format:

set system host-name JUNIPER-ROUTER1
set system authentication-order tacplus
set system authentication-order password
set system root-authentication encrypted-password “$r00tp44sw0rdh3r3/1”
set system tacplus-server 10.10.10.10 secret “$4ut0g3n3r4t3t4c4c5p455w0rd1”
set system tacplus-server 10.10.10.10 single-connection
set system tacplus-server 10.10.10.10 source-address 20.20.20.2
set system accounting destination tacplus server 10.10.10.10 secret “$4ut0g3n3r4t3t4c4c5p455w0rd2”
set system accounting destination tacplus server 10.10.10.10 single-connection
set system accounting destination tacplus server 10.10.10.10 source-address 20.20.20.2

set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 10.10.10.10/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 20.20.20.2/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from protocol tcp
set firewall family inet filter FIREWALL-RE term TACACS-ACL from port tacacs
set firewall family inet filter FIREWALL-RE term TACACS-ACL then count TACACS-ACL
set firewall family inet filter FIREWALL-RE term TACACS-ACL then accept

Note: Need to create user for this to work.

set system login class super-user idle-timeout 10
set system login class super-user permissions all
set system login user user101 class super-user

Refer to this link for Tacacs configuration for Cisco –> TACACS (AAA) Configuration in Cisco (IOS-XR, IOS-XE, IOS, NX-OS)

2 Comments

Leave a Reply