To telnet or ssh from an external host to Juniper SRX100, you need to configure this:
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system services ssh
set system services ssh
edit system services ssh]
set root-login allow
set protocol-version v2
Prior to it, you need to assign the IP address to the interface fe-0/0/0
Check this out:
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic ssh
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-configuartion-viewing.html
https://kb.juniper.net/InfoCenter/index?page=content&id=KB5661
Where to download and install Tacacs+ on Ubuntu:
On Ubuntu, you have Package Manager. Just open the package manager, and type tacacs+, you will be listed with several options. Choose Tacacs+ and any other related packages and "apply". Tacacs+ conf file is located in etc/Tacacs folder.
Basic tacacs working config: for Ubuntu Linux
https://kb.juniper.net/InfoCenter/index?page=content&id=KB17269
***** https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html
******* https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/system-basics/user-access.html
*** https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-access-tacacs-authentication.html
*** https://kb.juniper.net/InfoCenter/index?page=content&id=KB17269
https://forums.juniper.net/t5/SRX-Services-Gateway/Tacacs-Problem/td-p/265466
https://blog.marquis.co/tag/tacacs/
The steps include the following:
1. Configuring authentication on TACACS+ server (say, Ubuntu Linux OS)
2. Configuring authorization on TACACS+ server
3. Configuring accounting on TACACS+ server
Next,
1. Configuring TACACS+ on Juniper devices for authentication, authorization, and accounting.
Check out these resources (Found it a bit hard to get relevant resources for TACACS+ config for Juniper):
a) Configuring authentication order on Juniper devices:
[edit system]
authentication-order tacplus password ;
Try configured TACACS+ authentication servers.
If TACACS+ server is available and authentication is accepted, grant access.
If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html#id-junos-os-authentication-order-for-radius-tacacs-and-password-authentication
To edit config file:
admin@ubuntu:~$ vi /etc/tacacs+/tac_plus.conf
Using config file, define all required attributes, including the following:
key=testing123 ;change as required. The same needs to be configured on each juniper device for aaa.
Create user accounts and groups. It is easy to administer if you create groups.
user = NetworkEngineer1 {
member = Network_Engineers
}
user = Admin1 {
member = Admins
}
user = Monitor1 {
member = Managers
}
login = file /etc/passwd
enable = file /etc/passwd
group = Admins {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
}
group = Network_Engineers {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = do {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit terminal
}
cmd = interface {
permit .*
}
cmd = shutdown {
permit .*
}
cmd = no {
permit shutdown
}
cmd = speed {
permit .*
}
cmd = duplex {
permit .*
}
cmd = write {
permit memory
}
cmd = copy {
permit running-config
}
}
group = Managers {
default service = deny
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 2
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
}
Creating a test user account and the group might be a good idea, so you can test things out that have been added to this configuration. This particular test user will only have a cleartext password.
user = test {
member = Test_Group
}
group = Test_Group {
default service = deny
service = exec {
priv-lvl = 2
login = password1
enable = password1
}
admin@ubuntu:~$ sudo /etc/init.d/tacacs_plus restart
password for admin:
* Restarting TACACS+ authentication daemon tacacs+ [ OK ]
admin@ubuntu:~$
User Accounts
It is now time to create the user account under Linux.
admin@ubuntu:~$ sudo adduser test
Adding user `test' ...
Adding new group `test' (1001) ...
Adding new user `test' (1001) with group `test' ...
The home directory `/home/test' already exists. Not copying from `/etc/skel'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
To remove a user:
admin@ubuntu:~$ sudo deluser test
password for admin: Removing user `test' ... Warning: group `test' has no more members. Done.
https://networkjutsu.com/tacacs-ubuntu/
Note: You can use a different password file for tacacs. You need not have the user registered using Add User in Linux. If you want tacacs+ not to use Linux users, use different password file and call it in .conf.
[edit system]
user@switch# authentication-order [ tacacplus password ];
[edit]
user@host# show system authentication-order
authentication-order [password, tacplus];
shared secret: testing123
set system tacplus-server address 172.16.98.24
set system tacplus-server 172.16.98.24 secret Testing123
set system tacplus-server 172.16.98.24 source-address 10.0.0.1
[edit]
user@host# show system tacplus-server
tacplus-server 172.16.98.24 {
secret Tacacssecret1;
source-address 10.0.0.1;
}
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-access-tacacs-authentication.html#id-example-configuring-a-tacacs-server-for-system-authentication
Authentication order using tacacs+ password (local):
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-authentication-order.html#id-junos-os-authentication-order-for-radius-tacacs-and-password-authentication
In brief:
1. install tacacs+ on Ubantu
2. Configure .conf file with appropriate shared key, users, and the clients (devices) that access the tacacs
3. enable tacacs on client(s) - i.e. Juniper devices
4. do test run with test account.
this is minimum config. You need to have groups, authorization, and accounting set up for a full fledged tacacs+ features.
Juniper srx 210 specs power supply and wattages / power consumption
https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/specifications/interfaces-srx-series-models-and-compatibility.html
root@srx> show system storage partitions
Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: backup (da0s1a)
Partitions information:
Partition Size Mountpoint
s1a 292M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 30M recovery
root@srx> request system snapshot slice alternate
Formatting alternate root (/dev/da0s2a)...
Copying '/dev/da0s1a' to '/dev/da0s2a' .. (this may take a few minutes)
The following filesystems were archived:
Juniper JUNOS Static route configuration:
To configure a static route on a Juniper device running JUNOS, follow these steps:
1. Enter configuration mode by typing configure in the CLI.
2. Specify the destination network and subnet mask using CIDR notation. For example, to add a static route for the network 10.0.0.0/24, type routing-options static route 10.0.0.0/24.
3. Specify the next-hop IP address or interface for the static route. For example, to specify a next-hop IP address of 192.168.1.1, type next-hop 192.168.1.1. If you want to specify an outgoing interface instead of a next-hop IP address, type next-hop-interface <interface-name>.
4. Optionally, you can specify additional parameters such as administrative distance or metric. For example, to set a metric of 5 for the static route, type metric 5.
5. To commit your changes, type commit.
An example configuration for a static route with a next-hop IP address of 192.168.1.1:
configure
set routing-options static route 10.0.0.0/24 next-hop 192.168.1.1
commit
Checkout for virtual labs here:
https://routersimulator.certexams.com/juniper-sim/labs/index.html
Telnet to a Juniper JUNOS router:
To configure Telnet on a Juniper device running JUNOS, follow these steps:
1. Enter configuration mode by typing configure in the CLI.
2. Configure a hostname for the device by typing set system host-name <hostname>.
3. Configure the device's IP address by typing set interfaces <interface-name> unit <unit-number> family inet address <ip-address>/<subnet-mask>.
4. Enable Telnet service by typing set system services telnet.
(Optional) Configure a username and password for Telnet authentication by typing set system login user <username> authentication plain-text-password.
5. To commit your changes, type commit.
Example configuration for Telnet:
configure
set system host-name router1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set system services telnet
set system login user admin authentication plain-text-password
commit
After configuring Telnet on the router, you can connect to it using a Telnet client such as PuTTY. You will need to provide the router's IP address or hostname and the Telnet port number (23 by default). Once connected, you will be prompted for your username and password.
JUNOS default route configuration on a router:
To configure a default route on a Juniper device running JUNOS, you can use the following steps:
1. Enter configuration mode by typing configure in the CLI.
2. Specify the default route using the default keyword. For example, type routing-options static route 0.0.0.0/0.
3. Specify the next-hop IP address or interface for the default route. For example, to specify a next-hop IP address of 192.168.1.1, type next-hop 192.168.1.1. If you want to specify an outgoing interface instead of a next-hop IP address, type next-hop-interface <interface-name>.
4. Optionally, you can specify additional parameters such as administrative distance or metric. For example, to set a metric of 5 for the default route, type metric 5.
5. To commit your changes, type commit.
Example configuration for a default route with a next-hop IP address of 192.168.1.1:
configure
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
commit
Checkout Juniper JUNOS labs (https://routersimulator.certexams.com/juniper-sim/labs/index.html) and Switch labs (https://routersimulator.certexams.com/switch-simulator.html) with dozens of examples.