The steps include the following:
1. Configuring authentication on TACACS+ server (say, Ubuntu Linux OS)
2. Configuring authorization on TACACS+ server
3. Configuring accounting on TACACS+ server
Next,
1. Configuring TACACS+ on Juniper devices for authentication, authorization, and accounting.
Check out these resources (Found it a bit hard to get relevant resources for TACACS+ config for Juniper):
a) Configuring authentication order on Juniper devices:
[edit system]
authentication-order tacplus password ;
Try configured TACACS+ authentication servers.
If TACACS+ server is available and authentication is accepted, grant access.
If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html#id-junos-os-authentication-order-for-radius-tacacs-and-password-authenticationTo edit config file:
admin@ubuntu:~$ vi /etc/tacacs+/tac_plus.conf
Using config file, define all required attributes, including the following:
key=testing123 ;change as required. The same needs to be configured on each juniper device for aaa.
Create user accounts and groups. It is easy to administer if you create groups.
user = NetworkEngineer1 {
member = Network_Engineers
}
user = Admin1 {
member = Admins
}
user = Monitor1 {
member = Managers
}
login = file /etc/passwd
enable = file /etc/passwd
group = Admins {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
}
group = Network_Engineers {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = do {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit terminal
}
cmd = interface {
permit .*
}
cmd = shutdown {
permit .*
}
cmd = no {
permit shutdown
}
cmd = speed {
permit .*
}
cmd = duplex {
permit .*
}
cmd = write {
permit memory
}
cmd = copy {
permit running-config
}
}
group = Managers {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
}
Creating a test user account and the group might be a good idea, so you can test things out that have been added to this configuration. This particular test user will only have a cleartext password.
user = test {
member = Test_Group
}
group = Test_Group {
default service = deny
service = exec {
priv-lvl = 2
login = password1
enable = password1
}
admin@ubuntu:~$ sudo /etc/init.d/tacacs_plus restart
password for admin:
* Restarting TACACS+ authentication daemon tacacs+ [ OK ]
admin@ubuntu:~$
User Accounts
It is now time to create the user account under Linux.
admin@ubuntu:~$ sudo adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
The home directory `/home/test' already exists. Not copying from `/etc/skel'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
To remove a user:
admin@ubuntu:~$ sudo deluser test
password for admin: Removing user `test' ... Warning: group `test' has no more members. Done.
https://networkjutsu.com/tacacs-ubuntu/Note: You can use a different password file for tacacs. You need not have the user registered using Add User in Linux. If you want tacacs+ not to use Linux users, use different password file and call it in .conf.
