Tacacs (Authentication and Accounting) Configuration in Juniper

Tacacs/AAA/ISE Server: 192.168.10.222

Tacacs Password: tacpassword1

Router’s Management IP: 192.168.0.4 (under mgmt_junos routing instance)

Assumption: There’s an existing local account e.g. “user1”

set system login user user1 class super-user

set system login user user1 authentication plain-text-password

(passwordhere)

1. Configure the tacacs server IP

set system tacplus-server 192.168.10.222 routing-instance mgmt_junos

set system tacplus-server 192.168.10.222 secret tacpassword1

set system tacplus-server 192.168.10.222 single-connection

set system tacplus-server 192.168.10.222 source-address 192.168.0.4

2. Configure authentication order (if tacacs cannot authenticate, will ask for local access user1)

set system authentication-order tacplus

set system authentication-order password

3. Configure accounting:

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands
set system accounting destination tacplus server 192.168.10.222 secret tacpassword1
set system accounting destination tacplus server 192.168.10.222 single-connection
set system accounting destination tacplus server 192.168.10.222 source-address 192.168.0.4

Optional (Firewall settings)

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-prefix-list TACACS-SERVERS

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from protocol tcp

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT from source-port tacacs

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then count TACACS-PERMIT

set firewall family inet filter IPv4-FIREWALL term TACACS-PERMIT then accept

set firewall policer tacacs-policer if-exceeding bandwidth-limit 1m

set firewall policer tacacs-policer if-exceeding burst-size-limit 10k

set firewall policer tacacs-policer then discard

set policy-options prefix-list TACACS-SERVERS apply-path “system tacplus-server <*>”

set policy-options prefix-list TACACS-SERVERS 192.168.10.222/32

Note:

If you happen to receive this message below, pls. do the following to fix.
Sample Log:

Sep 6 10:30:01.044 2020 SRX1-re0 sshd[5580]: %AUTH-3: User remote is authenticated successfully but no logical login-id configured.

Also, for you not to configure local accounts.

FIX:

Create a user account that has no password, but class matching your tacacs (eg: super-user)

Configure:

set system login class super-user idle-timeout 10

set system login class super-user permissions all

set system login user user101 class super-user

2 Comments

Best Security Practices for Juniper (Junos OS ) in Management Plane - Free Network Tutorials said:

[…] Related link –> Tacacs (Authentication and Accounting) Configuration in Juniper […]

Best Security Practices for Juniper (Junos OS ) on Management Plane - Free Network Tutorials said:

[…] Related link –> Tacacs (Authentication and Accounting) Configuration in Juniper […]

This server has received 524870 hits from both ipv4 and ipv6.
IPv4	91.9%
IPv6	8.1%

Tacacs (Authentication and Accounting) Configuration in Juniper

Related

2 Comments

Leave a Reply to Best Security Practices for Juniper (Junos OS ) in Management Plane - Free Network Tutorials Cancel reply

bitframepacket