How to configure TACACS to work with the Juniper/Netscreen firewall

Using TACACS+ as an external authentication server for administration purposes is supported beginning with ScreenOS 6.0.0 and higher.

Note: TACACS+ is not supported for use as an authentication server for xauth or policy authentication.

On the firewall device, the TACACS server object needs to be configured. In this example, the TACACS server is called “external”. The CLI commands required for this are as follows:

set auth-server “external” id 1
set auth-server “external” server-name “192.168.1.33”
set auth-server “external” account-type admin
set auth-server “external” type tacacs
set auth-server “external” tacacs secret “QNM5OpXHNyCNyKsww1C+vDPFEpnHEFS+bw==”
set auth-server “external” tacacs port 49

Note: The TACACS secret is netscreen, but in the config file, it is hashed for security purposes.

The external server also has to be configured as an admin auth server:

set admin auth server “external”
set admin auth remote root
set admin privilege get-external

On the ACS server, the attributes need to be configured to match the desired admin user privilege needed. Launch the web interface via the ACSAdmin application. The steps are as follows:

Click Interface Configuration, and select TACACS+ (Cisco IOS)
Add a new service called “netscreen”, and leave the protocol field blank
Check both the user and group check box.
Click Submit

Once the “netscreen” service is defined, the attributes per user can be defined. On the user configuration, scroll down to the bottom, and check the “netscreen” (this is case sensitive) check box, and the “Custom attributes” check box. Specify the attributes in the custom attributes field.

The custom attributes you can specify are as follows:

Root Root RW Root RO VSYS RW VSYS RO
vsys= root root root vsys-name vsys-name
privilege= root read-write read-only vsys-read-write vsys-read-only

 

For example, let’s assume you want to configure attributes for read-write users in the root vsys. The attributes you would specify are:
vsys=root
privilege=read-write

Note: If not using the Cisco ACS server as the TACACS server, the config file should be formatted as shown in the below example (using vsys = root, and privilege = root):

group = root {
service = netscreen {
vsys = root
privilege = root
}
}

user = joe {
login = cleartext joe
service = netscreen {
vsys = root
privilege = root
}

Sponsored Link

One thought on “How to configure TACACS to work with the Juniper/Netscreen firewall

  1. im not using cisco, rather using linux as server on which i have installed tacacs server… now when i add user joe in file /etc/tacacs.conf,,, where will i set its password???i dont have to set it on ssg5…so how and where will i set password for joe on tacacs server that is to be tried from ssg5 for authentication

Leave a comment

Your email address will not be published. Required fields are marked *