Pages

Thursday, February 20, 2014

Juniper SRX tacacs+ with Cisco ACS 5.x

SRX configuration

# Authentication order with TACACS+ first and the server details
authentication-order [ tacplus password ];

tacplus-server {
    xxx.xxx.xxx.xxx {
        secret "sharedkey"; ## SECRET-DATA
        single-connection;
      }
    yyy.yyy.yyy.yyy {
        secret "sharedkey"; ## SECRET-DATA
        single-connection;
    }
}

# Remote user templates 
login {
       user netadmin {
        full-name "remote super-user template";
        uid 100;
        class super-user;
    }
    user remote-monitor {
        full-name "remote operator template";
        uid 101;
        class operator;                
    }                                  
}                                      

# tacacs+ accounting 
accounting {
    events [ login change-log interactive-commands ];
    destination {
        tacplus {
            server {
                xxx.xxx.xxx.xxx {
                    secret "sharekey"; ## SECRET-DATA
                    single-connection;
                }
                yyy.yyy.yyy.yyy {
                    secret "sharedkey"; ## SECRET-DATA
                    single-connection;
                }
            }
        }
    }
}

Cisco ACS

The key to Cisco ACS setup is to define "Policy Element" -> "Authorization and Permissions" -> "Device Administrator" -> "Shell Profiles".  Need to create custom shell profile for each "local-user-name" group. Below is an example for the "netadmin" group.




Posted by at No comments:
Subscribe to: Posts (Atom)