Tacacs (Authentication and Accounting) Configuration in Juniper

Tacacs/AAA/ISE Server: 192.168.10.222

Tacacs Password: tacpassword1
Router’s Management IP: 192.168.0.4 (under mgmt_junos routing instance)
Assumption: There’s an existing local account e.g. “user1”
set system login user user1 class super-user
set system login user user1 authentication plain-text-password
(passwordhere)
1. Configure the tacacs server IP
set system tacplus-server 192.168.10.222 routing-instance mgmt_junos 
set system tacplus-server 192.168.10.222 secret tacpassword1
set system tacplus-server 192.168.10.222 single-connection
set system tacplus-server 192.168.10.222 source-address 192.168.0.4
2. Configure authentication order (if tacacs cannot authenticate, will ask for local access user1)

set system authentication-order tacplus
set system authentication-order password
3. Configure accounting:
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus server 192.168.10.222 secret tacpassword1
set system accounting destination tacplus server 192.168.10.222 single-connection
set system accounting destination tacplus server 192.168.10.222 source-address 192.168.0.4
Optional (Firewall settings)

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-prefix-list TACACS-SERVERS
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from protocol tcp
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-port tacacs
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then count TACACS-PERMIT
set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then accept
set firewall policer tacacs-policer if-exceeding bandwidth-limit 1m
set firewall policer tacacs-policer if-exceeding burst-size-limit 10k
set firewall policer tacacs-policer then discard
 
set policy-options prefix-list TACACS-SERVERS apply-path “system tacplus-server <*>”
set policy-options prefix-list TACACS-SERVERS 192.168.10.222/32
Note:
If you happen to receive this message below, pls. do the following to fix.
Sample Log:
Sep  6 10:30:01.044 2020  SRX1-re0 sshd[5580]: %AUTH-3: User remote is authenticated successfully but no logical login-id configured.
Also, for you not to configure local accounts.
FIX:
Create a user account  that has no password, but class matching your tacacs (eg: super-user)
Configure:
set system login class super-user idle-timeout 10
set system login class super-user permissions all
set system login user user101 class super-user

2 Comments

Leave a Reply