Author Topic: Juniper LABs  (Read 220 times)

Offline certforumz

  • Cert Exams
  • Administrator
  • Hero Member
  • *****
  • Posts: 932
  • Ask me a question ...
    • CertExams - CCNA, A+, Network+, and Others
Juniper LABs
« on: October 28, 2019, 07:59:14 AM »
To telnet or ssh from an external host to Juniper SRX100, you need to configure this:

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system services ssh

set system services ssh
edit system services ssh]
set root-login allow
set protocol-version v2

Prior to it, you need to assign the IP address to the interface fe-0/0/0

Check this out:
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic ssh
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-configuartion-viewing.html
https://kb.juniper.net/InfoCenter/index?page=content&id=KB5661

Where to download and install Tacacs+ on Ubuntu:

On Ubuntu, you have Package Manager. Just open the package manager, and type tacacs+, you will be listed with several options. Choose Tacacs+ and any other related packages and "apply". Tacacs+ conf file is located in etc/Tacacs folder.

Basic tacacs working config: for Ubuntu Linux
https://kb.juniper.net/InfoCenter/index?page=content&id=KB17269
« Last Edit: November 06, 2019, 12:21:09 PM by certforumz »


Offline certforumz

  • Cert Exams
  • Administrator
  • Hero Member
  • *****
  • Posts: 932
  • Ask me a question ...
    • CertExams - CCNA, A+, Network+, and Others
Re: Juniper LABs - Configuring TACACS+ (tac_plus) for Juniper labs
« Reply #2 on: November 05, 2019, 02:31:18 AM »
The steps include the following:
1. Configuring authentication on TACACS+ server (say, Ubuntu Linux OS)
2. Configuring authorization on TACACS+ server
3. Configuring accounting on TACACS+ server

Next,
1. Configuring TACACS+ on Juniper devices for authentication, authorization, and accounting.

Check out these resources (Found it a bit hard to get relevant resources for TACACS+ config for Juniper):
a) Configuring authentication order on Juniper devices:
[edit system]
authentication-order tacplus password ;
    Try configured TACACS+ authentication servers.
    If TACACS+ server is available and authentication is accepted, grant access.
    If TACACS+ servers fail to respond or return a reject response,  try password authentication, because it is explicitly configured in the authentication order.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html#id-junos-os-authentication-order-for-radius-tacacs-and-password-authentication

To edit config file:

admin@ubuntu:~$ vi /etc/tacacs+/tac_plus.conf

Using config file, define all required attributes, including the following:
key=testing123 ;change as required. The same needs to be configured on each juniper device for aaa.

Create user accounts and groups. It is easy to administer if you create groups.
user = NetworkEngineer1 {
        member = Network_Engineers
}
user = Admin1 {
        member = Admins
}
user = Monitor1 {
        member = Managers
}

login = file /etc/passwd
enable = file /etc/passwd

group =  Admins {
        default service = permit
        login = file /etc/passwd
        enable = file /etc/passwd
}

group = Network_Engineers {
        default service = deny
        login = file /etc/passwd
        enable = file /etc/passwd
        service = exec {
        priv-lvl = 2
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = do {
                permit .*
        }
        cmd = exit {
                permit .*
        }
        cmd = configure {
                permit terminal
        }
        cmd = interface {
                permit .*
        }
        cmd = shutdown {
                permit .*
        }
        cmd = no {
                permit shutdown
        }
        cmd = speed {
                permit .*
        }
        cmd = duplex {
                permit .*
        }
        cmd = write {
                permit memory
        }
        cmd = copy {
                permit running-config
        }
}

group = Managers {
        default service = deny
        login = file /etc/passwd
        enable = file /etc/passwd
        service = exec {
        priv-lvl = 2
        }
        cmd = enable {
                permit .*
        }
        cmd = show {
                permit .*
        }
        cmd = exit {
                permit .*
        }
}

Creating a test user account and the group might be a good idea, so you can test things out that have been added to this configuration. This particular test user will only have a cleartext password.

user = test {
        member = Test_Group
}
group = Test_Group {
        default service = deny
        service = exec {
        priv-lvl = 2
        login = password1
        enable = password1
}

admin@ubuntu:~$ sudo /etc/init.d/tacacs_plus restart
password for admin:
 * Restarting TACACS+ authentication daemon tacacs+                      [ OK ]
admin@ubuntu:~$

User Accounts

It is now time to create the user account under Linux.

admin@ubuntu:~$ sudo adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
The home directory `/home/test' already exists.  Not copying from `/etc/skel'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
   Full Name []:
   Room Number []:
   Work Phone []:
   Home Phone []:
   Other []:
Is the information correct? [Y/n] y

To remove a user:
admin@ubuntu:~$ sudo deluser test
 password for admin: Removing user `test' ... Warning: group `test' has no more members. Done.

https://networkjutsu.com/tacacs-ubuntu/

Note: You can use a different password file for tacacs. You need not have the user registered using Add User in Linux. If you want tacacs+ not to use Linux users, use different password file and call it in .conf.




« Last Edit: November 05, 2019, 06:42:08 AM by certforumz »

Offline certforumz

  • Cert Exams
  • Administrator
  • Hero Member
  • *****
  • Posts: 932
  • Ask me a question ...
    • CertExams - CCNA, A+, Network+, and Others
Re: Juniper LABs Configuring TACACS+ on Juniper Devices - Continued..2
« Reply #3 on: November 05, 2019, 06:36:11 AM »
[edit system]
user@switch# authentication-order [ tacacplus password ];

[edit]
user@host# show system authentication-order
authentication-order [password, tacplus];

shared secret: testing123

set system tacplus-server address 172.16.98.24
set system tacplus-server 172.16.98.24 secret Testing123
set system tacplus-server 172.16.98.24 source-address 10.0.0.1

[edit]
user@host# show system tacplus-server
tacplus-server 172.16.98.24 {
secret Tacacssecret1;
source-address 10.0.0.1;
}

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-access-tacacs-authentication.html#id-example-configuring-a-tacacs-server-for-system-authentication

Authentication order using tacacs+ password (local):
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html#id-junos-os-authentication-order-for-radius-tacacs-and-password-authentication


Offline certforumz

  • Cert Exams
  • Administrator
  • Hero Member
  • *****
  • Posts: 932
  • Ask me a question ...
    • CertExams - CCNA, A+, Network+, and Others
Re: Juniper LABs
« Reply #4 on: November 05, 2019, 06:39:23 AM »
In brief:

1. install tacacs+ on Ubantu
2. Configure .conf file with appropriate shared key, users, and the clients (devices) that access the tacacs
3. enable tacacs on client(s) - i.e. Juniper devices
4. do test run with test account.

this is minimum config. You need to have groups, authorization, and accounting set up for a full fledged tacacs+ features.

Offline certforumz

  • Cert Exams
  • Administrator
  • Hero Member
  • *****
  • Posts: 932
  • Ask me a question ...
    • CertExams - CCNA, A+, Network+, and Others