Aug 062012
 

Sponsored Link

This article provides a configuration to authenticate SSG/ISG administrators by using TACACS+, instead of local logins.ACS v5.x is a Linux-based VM with a completely new user interface and structure.

Juniper SSG/ISG Device configuration from CLI

Add the Cisco ACS and TACACS+ configuration:

set auth-server CiscoACSv5 id 1
set auth-server CiscoACSv5 server-name 192.168.1.100
set auth-server CiscoACSv5 account-type admin
set auth-server CiscoACSv5 type tacacs
set auth-server CiscoACSv5 tacacs secret CiscoACSv5
set auth-server CiscoACSv5 tacacs port 49
set admin auth server CiscoACSv5
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

You can configure the above configuration using GUI for this Go to Configuration->Auth->Auth Servers

Configure the Cisco ACS v5.x (GUI)

  • Go to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, and create the Juniper Shell Profile:

Click the Create button, which is located at the bottom of the page.

Click the General tab and type the following information:

Name: Juniper

Description: Custom Attributes for Juniper SSG320M

Click the Custom Attributes tab and add the vsys attribute:

Attribute: vsys

Requirement: Mandatory

Value: root

Click the Add button, which is above the Attribute field.

Add the privilege attribute:

Attribute: privilege

Requirement: Mandatory

Value: Root

Click the Add button, which is above the Attribute field. Now click the Submit button, which is located at the bottom of the page.

  • Go to Access Policies > Access Services > Default Device Admin > Authorization and create the Juniper Authorization Policy and filter (by Device IP Address):

Click the Customize button, which is located at the bottom right-hand side of the page.

Under Customize Conditions, select Device IP Address from the left text box, and click the > button to add it.

Click OK to close the window.

Click the Create button, which is located at the bottom of the page, to create a new rule:

Under General, name the new rule as Juniper and ensure that it is enabled.

Under Conditions, select the checkbox next to Device IP Address, and type the IP address of the Juniper firewall (192.168.1.100)

Under Results, click the Select button, which is located next to the Shell Profile field, Select Juniper, and click OK.

Under Results, click the Select button, which is located below the Command Sets (if used) field, select Permit All and ensure that all the other checkboxes are unselected.

Click OK to close the window.

Click OK, which is located at the bottom of the page, to close the window.

Select the checkbox next to the Juniper policy and then move it to the top of the list.

Click Save Changes, which is located at the bottom of the page.

Verification:

Logon to the Juniper CLI and GUI via an ACS Internal User account and attempt to change a setting to verify the privilege level.

Sponsored Link

 Posted by at 12:02 am

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>