Juniper LABs

Started by certforumz, October 28, 2019, 07:59:14 AM

Previous topic - Next topic

certforumz

To telnet or ssh from an external host to Juniper SRX100, you need to configure this:

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system services ssh

set system services ssh
edit system services ssh]
set root-login allow
set protocol-version v2

Prior to it, you need to assign the IP address to the interface fe-0/0/0

Check this out:
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic ssh
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-configuartion-viewing.html
https://kb.juniper.net/InfoCenter/index?page=content&id=KB5661

Where to download and install Tacacs+ on Ubuntu:

On Ubuntu, you have Package Manager. Just open the package manager, and type tacacs+, you will be listed with several options. Choose Tacacs+ and any other related packages and "apply". Tacacs+ conf file is located in etc/Tacacs folder.

Basic tacacs working config: for Ubuntu Linux
https://kb.juniper.net/InfoCenter/index?page=content&id=KB17269


certforumz

The steps include the following:
1. Configuring authentication on TACACS+ server (say, Ubuntu Linux OS)
2. Configuring authorization on TACACS+ server
3. Configuring accounting on TACACS+ server

Next,
1. Configuring TACACS+ on Juniper devices for authentication, authorization, and accounting.

Check out these resources (Found it a bit hard to get relevant resources for TACACS+ config for Juniper):
a) Configuring authentication order on Juniper devices:
[edit system]
authentication-order tacplus password ;
    Try configured TACACS+ authentication servers.
    If TACACS+ server is available and authentication is accepted, grant access.
    If TACACS+ servers fail to respond or return a reject response,  try password authentication, because it is explicitly configured in the authentication order.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html#id-junos-os-authentication-order-for-radius-tacacs-and-password-authentication

To edit config file:

admin@ubuntu:~$ vi /etc/tacacs+/tac_plus.conf

Using config file, define all required attributes, including the following:
key=testing123 ;change as required. The same needs to be configured on each juniper device for aaa.

Create user accounts and groups. It is easy to administer if you create groups.
user = NetworkEngineer1 {
        member = Network_Engineers
}
user = Admin1 {
        member = Admins
}
user = Monitor1 {
        member = Managers
}

login = file /etc/passwd
enable = file /etc/passwd

group =  Admins {
        default service = permit
        login = file /etc/passwd
        enable = file /etc/passwd
}

group = Network_Engineers {
        default service = deny
        login = file /etc/passwd
        enable = file /etc/passwd
        service = exec {
        priv-lvl = 2
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = do {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit terminal
        }
        cmd = interface {
                permit .*
        }
        cmd = shutdown {
                permit .*
        }
        cmd = no {
                permit shutdown
        }
        cmd = speed {
                permit .*
        }
        cmd = duplex {
                permit .*
        }
        cmd = write {
                permit memory
        }
        cmd = copy {
                permit running-config
        }
}

group = Managers {
        default service = deny
        login = file /etc/passwd
        enable = file /etc/passwd
        service = exec {
        priv-lvl = 2
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
}

Creating a test user account and the group might be a good idea, so you can test things out that have been added to this configuration. This particular test user will only have a cleartext password.

user = test {
        member = Test_Group
}
group = Test_Group {
        default service = deny
        service = exec {
        priv-lvl = 2
        login = password1
        enable = password1
}

admin@ubuntu:~$ sudo /etc/init.d/tacacs_plus restart
password for admin:
* Restarting TACACS+ authentication daemon tacacs+                      [ OK ]
admin@ubuntu:~$

User Accounts

It is now time to create the user account under Linux.

admin@ubuntu:~$ sudo adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
The home directory `/home/test' already exists.  Not copying from `/etc/skel'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
   Full Name []:
   Room Number []:
   Work Phone []:
   Home Phone []:
   Other []:
Is the information correct? [Y/n] y

To remove a user:
admin@ubuntu:~$ sudo deluser test
password for admin: Removing user `test' ... Warning: group `test' has no more members. Done.

https://networkjutsu.com/tacacs-ubuntu/

Note: You can use a different password file for tacacs. You need not have the user registered using Add User in Linux. If you want tacacs+ not to use Linux users, use different password file and call it in .conf.





certforumz

[edit system]
user@switch# authentication-order [ tacacplus password ];

[edit]
user@host# show system authentication-order
authentication-order [password, tacplus];

shared secret: testing123

set system tacplus-server address 172.16.98.24
set system tacplus-server 172.16.98.24 secret Testing123
set system tacplus-server 172.16.98.24 source-address 10.0.0.1

[edit]
user@host# show system tacplus-server
tacplus-server 172.16.98.24 {
secret Tacacssecret1;
source-address 10.0.0.1;
}

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-access-tacacs-authentication.html#id-example-configuring-a-tacacs-server-for-system-authentication

Authentication order using tacacs+ password (local):
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html#id-junos-os-authentication-order-for-radius-tacacs-and-password-authentication


certforumz

In brief:

1. install tacacs+ on Ubantu
2. Configure .conf file with appropriate shared key, users, and the clients (devices) that access the tacacs
3. enable tacacs on client(s) - i.e. Juniper devices
4. do test run with test account.

this is minimum config. You need to have groups, authorization, and accounting set up for a full fledged tacacs+ features.


certforumz

root@srx> show system storage partitions 
Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: backup (da0s1a)

Partitions information:
  Partition  Size   Mountpoint
  s1a        292M   /
s2a        293M   altroot
  s3e        24M    /config
  s3f        342M   /var
  s4a        30M    recovery

root@srx> request system snapshot slice alternate
Formatting alternate root (/dev/da0s2a)...
Copying '/dev/da0s1a' to '/dev/da0s2a' .. (this may take a few minutes)
The following filesystems were archived:

certforumz

Juniper JUNOS Static route configuration:

To configure a static route on a Juniper device running JUNOS, follow these steps:

1. Enter configuration mode by typing configure in the CLI.
2. Specify the destination network and subnet mask using CIDR notation. For example, to add a static route for the network 10.0.0.0/24, type routing-options static route 10.0.0.0/24.
3. Specify the next-hop IP address or interface for the static route. For example, to specify a next-hop IP address of 192.168.1.1, type next-hop 192.168.1.1. If you want to specify an outgoing interface instead of a next-hop IP address, type next-hop-interface <interface-name>.
4. Optionally, you can specify additional parameters such as administrative distance or metric. For example, to set a metric of 5 for the static route, type metric 5.
5. To commit your changes, type commit.

An example configuration for a static route with a next-hop IP address of 192.168.1.1:

configure
set routing-options static route 10.0.0.0/24 next-hop 192.168.1.1
commit

Checkout for virtual labs here:

https://routersimulator.certexams.com/juniper-sim/labs/index.html

certforumz

Telnet to a Juniper JUNOS router:

To configure Telnet on a Juniper device running JUNOS, follow these steps:

1. Enter configuration mode by typing configure in the CLI.
2. Configure a hostname for the device by typing set system host-name <hostname>.
3. Configure the device's IP address by typing set interfaces <interface-name> unit <unit-number> family inet address <ip-address>/<subnet-mask>.
4. Enable Telnet service by typing set system services telnet.
(Optional) Configure a username and password for Telnet authentication by typing set system login user <username> authentication plain-text-password.
5. To commit your changes, type commit.

Example configuration for Telnet:
configure
set system host-name router1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set system services telnet
set system login user admin authentication plain-text-password
commit
After configuring Telnet on the router, you can connect to it using a Telnet client such as PuTTY. You will need to provide the router's IP address or hostname and the Telnet port number (23 by default). Once connected, you will be prompted for your username and password.

certforumz

JUNOS default route configuration on a router:

To configure a default route on a Juniper device running JUNOS, you can use the following steps:

1. Enter configuration mode by typing configure in the CLI.
2. Specify the default route using the default keyword. For example, type routing-options static route 0.0.0.0/0.
3. Specify the next-hop IP address or interface for the default route. For example, to specify a next-hop IP address of 192.168.1.1, type next-hop 192.168.1.1. If you want to specify an outgoing interface instead of a next-hop IP address, type next-hop-interface <interface-name>.
4. Optionally, you can specify additional parameters such as administrative distance or metric. For example, to set a metric of 5 for the default route, type metric 5.
5. To commit your changes, type commit.

Example configuration for a default route with a next-hop IP address of 192.168.1.1:

configure
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
commit

Checkout Juniper JUNOS labs and Switch labs with dozens of examples.