Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎08-19-2015

Juniper TACACS configuration and CPPM

Hello,

 

I'm evaluating Aruba Clearpass CPPM for my organization and I am trying to configure AAA on a Juniper SRX to authenticate against CPPM.

 

Is there a guide someone can point me to or a link that I can follow? 

 

I have it working for Cisco switches, routers, and firewalls thus far and I was also able to successfully integrate AD and CPPM.

 

Thanks in advance for the help!

 

 

Guru Elite
Posts: 7,824
Registered: ‎09-08-2010

Re: Juniper TACACS configuration and CPPM

This should help get you started!

 

set groups global system authentication-order tacplus
set groups global system authentication-order password
set groups global system tacplus-server 10.100.60.80 port 49
set groups global system tacplus-server 10.100.60.80 secret <secret>
set apply-groups global
set system tacplus-server 10.100.60.80 source-address 10.20.1.1
set system login user SU uid 2003
set system login user SU class super-user
set system login user RO uid 2002
set system login user RO class read-only

junos-tacas-su.JPG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 13
Registered: ‎08-19-2015

Re: Juniper TACACS configuration and CPPM

Hi Tim,

 

This is my Juniper Config:

 

set system authentication-order tacplus
set system authentication-order password
set system root-authentication encrypted-password 
set system tacplus-server 172.16.1.10 secret 
set system tacplus-server 172.16.1.10 source-address 172.16.1.103
set system accounting events login
set system accounting events interactive-commands
set system accounting destination tacplus
set system login user RO uid 2002
set system login user RO class read-only
set system login user SU uid 2003
set system login user SU class super-user
set system login user labuser uid 2000
set system login user labuser class super-user
set system login user labuser authentication encrypted-password 

 

 

Occasional Contributor II
Posts: 13
Registered: ‎08-19-2015

Re: Juniper TACACS configuration and CPPM

I'm getting this error message:

 

Which indicates a privilege mismatch.

 

I'm going back and looking over all the configurations and settings, I'm obviously missing something.

 

 

Occasional Contributor II
Posts: 13
Registered: ‎08-19-2015

Re: Juniper TACACS configuration and CPPM

I fixed the error by going to the enforcement profile and changing the privilege level from 0 to 15

 

Hope this helps someone else.

 

Occasional Contributor I
Posts: 6
Registered: ‎08-06-2016

Re: Juniper TACACS configuration and CPPM

Hi Tim,

    Is the enforcement profile same for juniper Netscreen also.

I want to implement TACACS on Netscreen.

 

 

Thanks


cappalli wrote:

This should help get you started!

 

set groups global system authentication-order tacplus
set groups global system authentication-order password
set groups global system tacplus-server 10.100.60.80 port 49
set groups global system tacplus-server 10.100.60.80 secret <secret>
set apply-groups global
set system tacplus-server 10.100.60.80 source-address 10.20.1.1
set system login user SU uid 2003
set system login user SU class super-user
set system login user RO uid 2002
set system login user RO class read-only

junos-tacas-su.JPG


 

Aruba Employee
Posts: 11
Registered: ‎03-23-2016

Re: Juniper TACACS configuration and CPPM

Netscreen uses a different tacacs service than Junos does.. So that has to be created in CPPM. Then the attributes that can be sent are 'vsys' and 'privilege'..

 

For this you'll have to create a custom TACACS dictionary. You can go to administration > dictionaries > tacacs+ service, then export the junos-exec service. Then modify the attributes in there..

 

I attached a file that 'should' be what you need, however I don't have any netscreen devices to test against. Rename the file to .xml and import into tacacs dictionaries, then you can go to the profile and use it.

 

Then you can follow this guide to give you some pointers:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23458&actp=search 

 

 

 

 

 

 

Occasional Contributor I
Posts: 6
Registered: ‎08-06-2016

Re: Juniper TACACS configuration and CPPM

Thanks Cris. I managed to configure TACACS for Netscreen and is succesfully working with Admin rights

   But i need a Read-Only account also.

I tried to configure in CPPM the RO user is getting authenticated succesfully in Access Tracker but i am not getting firewall login its still stuck at login page.

 

Please see the snaps.

Search Airheads
Showing results for 
Search instead for 
Did you mean: