In this post I will be configuring a Juniper Junos device to authenticate off of a local TACACS+ server.
I will be using GNS3 version 1.1, an Ubuntu 14.0.4 server running Shrubbery Networks TACACS+ daemon and a Junos olive image running JUNOS 12.1R1.9.
TACACS+ Server Configuration
TACACS+ is an Authentication, Authorisation and Accounting protocol that provides a centralised method of controlling user access to network devices. For more information on TACACS+ please see my previous post TACACS+ on Ubuntu 14.04 LTS.
For a Junos device to authenticate against our TACACS+ server, we first need to add a user using the Juniper Networks Vendor-Specific TACACS+ Attributes.
These attributes are specified in the TACACS+ server configuration file on a per-user basis. The Junos OS retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. The default syntax for the Juniper Networks Vendor-Specific TACACS+ Attributes are as follows:
|
1 2 3 4 5 6 7 8 |
service = junos-exec { local-user-name = allow-commands = allow-configurations = deny-commands = deny-configuration = user-permissions = } |
In this example i will be creating a super-user called junos that will be associated to the default user SU on the Junos device for authorisation.
The sample config for the TACACS+ user is as follows:
|
1 2 3 4 5 6 7 8 9 10 11 |
# Juniper test account user = junos { default service = permit login = des 6/1aYAL9zcCe. service = junos-exec { local-user-name = SU allow-commands = .* allow-configurations = .* } } |
Junos TACACS+ Configuration
I will be using the following network topology to test the configuration of TACACS+:
In order for TACACS+ to work the following have to be configured on the Junos device:
- Configure server details for Authentication. These include the TACACS+ server IP, source IP address, shared encryption key, and the Authentication order to be used on the device.
- Assign login class for Authenticated users, this provides the Authorisation of users via TACACS+.
- Configure the TACACS+ system Accounting for the device.
Authentication
To use TACACS+ authentication on the router, we need to configure information about one or more TACACS+ servers on the network by including one tacplus-server statement at the [edit system] hierarchy level for each TACACS+ server.
The details for the TACACS+ server on the local network are as follows:
- Server IP: 10.10.10.100
- Key: tac_test
- username: junos
- password: cisco
First we need to add a TACACS+ IP address and encryption key to the router:
|
1 2 |
set system tacplus-server 10.10.10.100 set system tacplus-server 10.10.10.100 secret tac_test |
Configure the device to maintain one open Transmission Control Protocol (TCP) connection to the server for multiple requests, rather than opening a connection for each connection attempt.
|
1 |
set system tacplus-server 10.10.10.100 single-connection |
Next configure the source IP address that will be used when sending responses back to the TACACS+ server. Typically this would be a loopback address on the router, but in this case i have just used the IP address of the Ethernet interface:
|
1 |
set system tacplus-server 10.10.10.100 source-address 10.10.10.1 |
Next we will configure the order in which the device will authenticate users. Best practice is to have TACACS+ authenticate any users connecting to the device and falling back to local authentication if the TACACS+ server is unreachable. To do this we will configure system authentication order using the following commands:
|
1 2 |
set system authentication-order tacplus set system authentication-order password |
Sample output of the configuration so far:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[edit] jonathan@JR1# show | compare [edit system] + authentication-order [ tacplus password ]; + tacplus-server { + 10.10.10.100 { + secret "$9$.mz69Cu1IcDipBIEeKoJGUqf"; ## SECRET-DATA + single-connection; + source-address 10.10.10.1; + } + } [edit] jonathan@JR1# |
Authorisation
Now that we have the Junos device configured to send authentication requests through to the TACACS+ server, we must configure Authorisation for the user.
This is done slightly differently to Cisco, as we will be configuring a set of default users, one for each of the different classes on the Junos devices, that will provide Authorisation to the remote users. As mentioned earlier we will be associating our Junos TACACS+ user with the super-user account SU:
|
1 2 3 |
set system login user RO class read-only set system login user OP class operator set system login user SU class super-user |
Sample output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
[edit] jonathan@JR1# show | compare [edit system] + authentication-order [ tacplus password ]; + tacplus-server { + 10.10.10.100 { + secret "$9$.mz69Cu1IcDipBIEeKoJGUqf"; ## SECRET-DATA + single-connection; + source-address 10.10.10.1; + } + } [edit system login] + user OP { + class operator; + } + user RO { + class read-only; + } + user SU { + class super-user; + } [edit] jonathan@JR1# |
At this point you will be able to login to the Junos device and authenticate on the TACACS+ server. However as we have not configured any accounting profiles yet we would not be able to track what commands are issued on the device.
Accounting
You can use TACACS+ to track the login’s, configuration changes and interactive commands of any user that has authenticated against the TACACS+ server. To do this we need to first configure the system accounting details. To do this issue the following commands:
|
1 2 3 4 |
set system accounting events login set system accounting events change-log set system accounting events interactive-commands set system accounting destination tacplus server 10.10.10.100 secret tac_test |
Sample output of configuration:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
[edit] jonathan@JR1# show | compare | no-more [edit system] + authentication-order [ tacplus password ]; + tacplus-server { + 10.10.10.100 { + secret "$9$70Ns4aJDkqfM8UHqmF3ylKvxd"; ## SECRET-DATA + single-connection; + source-address 10.10.10.1; + } + } + accounting { + events [ login change-log interactive-commands ]; + destination { + tacplus { + server { + 10.10.10.100 secret "$9$q.Qn/9pB1hUjtO1Rle4aZGkP"; ## SECRET-DATA + } + } + } + } [edit system login] + user OP { + class operator; + } + user RO { + class read-only; + } + user SU { + class super-user; + } [edit system] + services { + telnet; + } [edit] jonathan@JR1# |
Commit the changes to the device:
|
1 2 3 4 5 6 7 8 9 10 |
[edit] jonathan@JR1# commit check configuration check succeeds [edit] jonathan@JR1# commit commit complete [edit] jonathan@JR1# |
Verification
To verify that the configuration is working, I am going to telnet from the Jumpbox (10.10.10.10) to the JR1 Junos device (10.10.10.1) and attempt to authenticate using the junos user account. I will display the output from the terminal of the Jumpbox, the output from the log messages on the Junos device as well as the output of the TACACS+ servers logs.
Terminal output from the Jumpbox:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
routingloop@routingloop-lubuntu:~$ telnet 10.10.10.1 Trying 10.10.10.1... Connected to 10.10.10.1. Escape character is '^]'. JR1 (ttyp1) login: junos Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:52:33 UTC junos@JR1> configure Entering configuration mode Users currently editing the configuration: junos terminal p0 (pid 5825) on since 2014-10-26 15:02:26 UTC, idle 00:59:09 [edit] [edit] junos@JR1# show ## Last changed: 2014-10-26 15:52:37 UTC version 12.1R1.9; system { host-name JR1; authentication-order [ tacplus password ]; root-authentication { encrypted-password "$1$36E4jr25$AnFZ.Lm/OTPb9yAfmF5/f0"; ## SECRET-DATA } tacplus-server { 10.10.10.100 { secret "$9$70Ns4aJDkqfM8UHqmF3ylKvxd"; ## SECRET-DATA single-connection; source-address 10.10.10.1; } } accounting { events [ login change-log interactive-commands ]; destination { [edit] junos@JR1# |
Output from /var/log/tac_plus.log:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
root@tacacs:~# tail -f /var/log/tac_plus.log Sun Oct 26 16:00:37 2014 [1604]: Reading config Sun Oct 26 16:00:37 2014 [1604]: Version F4.0.4.26 Initialized 1 Sun Oct 26 16:00:37 2014 [1604]: tac_plus server F4.0.4.26 starting Sun Oct 26 16:00:37 2014 [1605]: Backgrounded Sun Oct 26 16:00:37 2014 [1606]: uid=0 euid=0 gid=0 egid=0 s=0 Sun Oct 26 16:01:42 2014 [1606]: session.peerip is 10.10.10.1 Sun Oct 26 16:01:42 2014 [1609]: connect from 10.10.10.1 [10.10.10.1] Sun Oct 26 16:01:44 2014 [1609]: login query for 'junos' ttyp1 from 10.10.10.1 accepted Sun Oct 26 16:01:44 2014 [1606]: session.peerip is 10.10.10.1 Sun Oct 26 16:01:44 2014 [1610]: connect from 10.10.10.1 [10.10.10.1] Sun Oct 26 16:01:44 2014 [1610]: authorization query for 'junos' ttyp1 from 10.10.10.1 accepted Sun Oct 26 16:01:44 2014 [1606]: session.peerip is 10.10.10.1 Sun Oct 26 16:01:44 2014 [1611]: connect from 10.10.10.1 [10.10.10.1] Sun Oct 26 16:01:48 2014 [1606]: session.peerip is 10.10.10.1 Sun Oct 26 16:01:48 2014 [1612]: connect from 10.10.10.1 [10.10.10.1] Sun Oct 26 16:01:51 2014 [1606]: session.peerip is 10.10.10.1 Sun Oct 26 16:01:51 2014 [1613]: connect from 10.10.10.1 [10.10.10.1] |
Output from /var/log/tac_plus/tac_plus.acct:
|
1 2 3 4 |
root@tacacs:~# tail -f /var/log/tac_plus/tac_plus.acct Oct 26 16:01:44 10.10.10.1 junos ttyp1 10.10.10.10 start task_id=1 service=shell process*mgd[7123] cmd=login Oct 26 16:01:48 10.10.10.1 junos ttyp1 10.10.10.10 stop task_id=2 service=shell process*mgd[7123] cmd=configure Oct 26 16:01:51 10.10.10.1 junos ttyp1 10.10.10.10 stop task_id=3 service=shell process*mgd[7123] cmd=show |
As you can see from the above output, the user junos successfully authenticated against the TACACS+ server and was authorised to access the configuration mode of the device. A log was also kept of all the commands that were run by the user in /var/log/tac_plus/tac_plus.acct.
References:
http://www.juniper.net/documentation/en_US/junos13.3/topics/task/configuration/tacacs-authentication-configuring.html
http://www.juniper.net/documentation/en_US/junos12.1×46/topics/example/security-tacacs+-server-system-authentication-configuring.html
http://www.juniper.net/documentation/en_US/junos13.3/topics/task/configuration/tacacs-accounting-configuring.html
This is not working for me. I am able to get the accounting logs on tacacs server but not able to login to devices using tacacs.Any suggestions?
Hello, all work is fine, very good article! Thank you.