Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Juniper TACACS configuration and CPPM

This thread has been viewed 25 times

  • 1.  Juniper TACACS configuration and CPPM

    Posted Sep 14, 2015 01:16 AM

    Hello,

     

    I'm evaluating Aruba Clearpass CPPM for my organization and I am trying to configure AAA on a Juniper SRX to authenticate against CPPM.

     

    Is there a guide someone can point me to or a link that I can follow? 

     

    I have it working for Cisco switches, routers, and firewalls thus far and I was also able to successfully integrate AD and CPPM.

     

    Thanks in advance for the help!

     

     



  • 2.  RE: Juniper TACACS configuration and CPPM

    EMPLOYEE
    Posted Sep 14, 2015 07:38 AM

    This should help get you started!

     

    set groups global system authentication-order tacplus
set groups global system authentication-order password
set groups global system tacplus-server 10.100.60.80 port 49
set groups global system tacplus-server 10.100.60.80 secret <secret>
set apply-groups global
set system tacplus-server 10.100.60.80 source-address 10.20.1.1
set system login user SU uid 2003
set system login user SU class super-user
set system login user RO uid 2002
set system login user RO class read-only

    junos-tacas-su.JPG



  • 3.  RE: Juniper TACACS configuration and CPPM
    Best Answer

    Posted Sep 14, 2015 01:13 PM

    Hi Tim,

     

    This is my Juniper Config:

     

    set system authentication-order tacplus
    set system authentication-order password
    set system root-authentication encrypted-password 
    set system tacplus-server 172.16.1.10 secret 
    set system tacplus-server 172.16.1.10 source-address 172.16.1.103
    set system accounting events login
    set system accounting events interactive-commands
    set system accounting destination tacplus
    set system login user RO uid 2002
    set system login user RO class read-only
    set system login user SU uid 2003
    set system login user SU class super-user
    set system login user labuser uid 2000
    set system login user labuser class super-user
    set system login user labuser authentication encrypted-password 

     

     



  • 4.  RE: Juniper TACACS configuration and CPPM

    Posted Sep 14, 2015 01:14 PM
      |   view attached

    I'm getting this error message:

     

    Which indicates a privilege mismatch.

     

    I'm going back and looking over all the configurations and settings, I'm obviously missing something.

     

     



  • 5.  RE: Juniper TACACS configuration and CPPM

    Posted Sep 14, 2015 11:44 PM

    I fixed the error by going to the enforcement profile and changing the privilege level from 0 to 15

     

    Hope this helps someone else.

     



  • 6.  RE: Juniper TACACS configuration and CPPM

    Posted Apr 26, 2017 07:03 AM

    so , I must configure users in the juniper local data like SU and RO or not because I've an authentication server (active directory) which I must authenticate and authorized from it 

     



  • 7.  RE: Juniper TACACS configuration and CPPM

    Posted Dec 26, 2017 04:04 AM

    Hi Chris,

     

    I am running into exactly the same issue. I have imported the TACACS dictionary but I am getting the error message. Any solution?

    Command - -
    Error Message:No enforcement profiles matched to perform command authorization
    Error Group:Tacacs authorization

     Alerts for this Request:

    Tacacs serverTacacs service=netscreen not enabled


  • 8.  RE: Juniper TACACS configuration and CPPM

    Posted Oct 04, 2016 03:36 AM

    Hi Tim,

        Is the enforcement profile same for juniper Netscreen also.

    I want to implement TACACS on Netscreen.

     

     

    Thanks

    @cappalli wrote:

    This should help get you started!

     

    set groups global system authentication-order tacplus
set groups global system authentication-order password
set groups global system tacplus-server 10.100.60.80 port 49
set groups global system tacplus-server 10.100.60.80 secret <secret>
set apply-groups global
set system tacplus-server 10.100.60.80 source-address 10.20.1.1
set system login user SU uid 2003
set system login user SU class super-user
set system login user RO uid 2002
set system login user RO class read-only

    junos-tacas-su.JPG

     



  • 9.  RE: Juniper TACACS configuration and CPPM

    EMPLOYEE
    Posted Oct 04, 2016 10:11 AM
      |   view attached

    Netscreen uses a different tacacs service than Junos does.. So that has to be created in CPPM. Then the attributes that can be sent are 'vsys' and 'privilege'..

     

    For this you'll have to create a custom TACACS dictionary. You can go to administration > dictionaries > tacacs+ service, then export the junos-exec service. Then modify the attributes in there..

     

    I attached a file that 'should' be what you need, however I don't have any netscreen devices to test against. Rename the file to .xml and import into tacacs dictionaries, then you can go to the profile and use it.

     

    Then you can follow this guide to give you some pointers:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB23458&actp=search 

     

     

     

     

     

     

    Attachment(s)

    txt
    TacacsServiceDictionary.txt   522 B 1 version


  • 10.  RE: Juniper TACACS configuration and CPPM

    Posted Oct 10, 2016 04:27 AM

    Thanks Cris. I managed to configure TACACS for Netscreen and is succesfully working with Admin rights

       But i need a Read-Only account also.

    I tried to configure in CPPM the RO user is getting authenticated succesfully in Access Tracker but i am not getting firewall login its still stuck at login page.

     

    Please see the snaps.