Configure TACACS+ on Junos devices

juniper-networks_416x416In this post I will be configuring a Juniper Junos device to authenticate  off of a local TACACS+ server.

I will be using GNS3 version 1.1, an Ubuntu 14.0.4 server running Shrubbery Networks TACACS+ daemon and a Junos olive image running JUNOS 12.1R1.9.

TACACS+ Server Configuration

TACACS+ is an Authentication, Authorisation and Accounting protocol that provides a centralised method of controlling user access to network devices. For more information on TACACS+ please see my previous post TACACS+ on Ubuntu 14.04 LTS.

For a Junos device to authenticate against our TACACS+ server, we first need to add a user using the Juniper Networks Vendor-Specific TACACS+ Attributes.

These attributes are specified in the TACACS+ server configuration file on a per-user basis. The Junos OS retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. The default syntax for the Juniper Networks Vendor-Specific TACACS+ Attributes are as follows:

In this example i will be creating a super-user called junos that will be associated to the default user SU on the Junos device for authorisation.

The sample config for the TACACS+ user is as follows:

Junos TACACS+ Configuration

I will be using the following network topology to test the configuration of TACACS+:

Selection_029

In order for TACACS+ to work the following have to be configured on the Junos device:

  1. Configure server details for Authentication. These include the TACACS+ server IP, source IP address, shared encryption key, and the Authentication order to be used on the device.
  2. Assign login class for Authenticated users, this provides the Authorisation of users via TACACS+.
  3. Configure the TACACS+ system Accounting for the device.
Authentication

To use TACACS+ authentication on the router, we need to configure information about one or more TACACS+ servers on the network by including one tacplus-server statement at the [edit system] hierarchy level for each TACACS+ server.

The details for the TACACS+ server on the local network are as follows:

  1. Server IP: 10.10.10.100
  2. Key: tac_test
  3. username: junos
  4. password: cisco

First we need to add a TACACS+ IP address and encryption key to the router:

Configure the device to maintain one open Transmission Control Protocol (TCP) connection to the server for multiple requests, rather than opening a connection for each connection attempt.

Next configure the source IP address that will be used when sending responses back to the TACACS+ server. Typically this would be a loopback address on the router, but in this case i have just used the IP address of the Ethernet interface:

Next we will configure the order in which the device will authenticate users. Best practice is to have TACACS+ authenticate any users connecting to the device and falling back to local authentication if the TACACS+ server is unreachable. To do this we will configure system authentication order using the following commands:

Sample output of the configuration so far:

Authorisation

Now that we have the Junos device configured to send authentication requests through to the TACACS+ server, we must configure Authorisation for the user.

This is done slightly differently to Cisco, as we will be configuring a set of default users, one for each of the different classes on the Junos devices, that will provide Authorisation to the remote users. As mentioned earlier we will be associating our Junos TACACS+ user with the super-user account SU:

Sample output:

At this point you will be able to login to the Junos device and authenticate on the TACACS+ server. However as we have not configured any accounting profiles yet we would not be able to track what commands are issued on the device.

Accounting

You can use TACACS+ to track the login’s, configuration changes and interactive commands of any user that has authenticated against the TACACS+ server. To do this we need to first configure the system accounting details. To do this issue the following commands:

Sample output of configuration:

Commit the changes to the device:

Verification

To verify that the configuration is working, I am going to telnet from the Jumpbox (10.10.10.10) to the JR1 Junos device (10.10.10.1) and attempt to authenticate using the junos user account. I will display the output from the terminal of the Jumpbox, the output from the log messages on the Junos device as well as the output of the TACACS+ servers logs.

Terminal output from the Jumpbox:

Output from /var/log/tac_plus.log:

Output from /var/log/tac_plus/tac_plus.acct:

As you can see from the above output, the user junos successfully authenticated against the TACACS+ server and was authorised to access the configuration mode of the device. A log was also kept of all the commands that were run by the user in /var/log/tac_plus/tac_plus.acct.

References:

http://www.juniper.net/documentation/en_US/junos13.3/topics/task/configuration/tacacs-authentication-configuring.html
http://www.juniper.net/documentation/en_US/junos12.1×46/topics/example/security-tacacs+-server-system-authentication-configuring.html
http://www.juniper.net/documentation/en_US/junos13.3/topics/task/configuration/tacacs-accounting-configuring.html

FacebookTwitterGoogle+Share

2 thoughts on “Configure TACACS+ on Junos devices”

  1. This is not working for me. I am able to get the accounting logs on tacacs server but not able to login to devices using tacacs.Any suggestions?

Leave a Reply