ProteusElite:HowTo

Using A TACACS+ Server In this guide I describe the steps that are taken to use a Cisco TACACS+ server for user authentication and authorization. This How To was researched and written with the assistance of Jon Sills, a network engineer with the OIR group at the State of Tennessee. Background Incomplete Instructions Juniper devices can use external servers to perform authentication services for administrators. JUNOS supports RADIUS and TACACS+ as well as local authentication. The use of the Steel Belted RADIUS product from Juniper is of course the recommended external server. While the use of TACACS+ is supported, it does not offer the full features of the SBR implementation. For some customers SBR is not an option, and they must use the Cisco solution. Juniper has a configuration guide for this set up that can be found at http://www.juniper.net/techpubs/software/junos/junos57/swconfig57-getting-started/html/sysmgmt-authentication3.html. There is also a template referenced in this guide ( http://www.juniper.net/techpubs/software/junos/junos57/swconfig57-getting-started/html/sysmgmt-authentication4.html#1039222 ) that show both TACACS+ and RADIUS configurations. These we found to be incomplete. Procedure The setup of the TACACS+ for use as both an authentication server and an authorization server has two parts. The first of these is the JUNOS configuration; the second is the TACACS+ server. The JUNOS component is show below system { authentication-order [ password tacplus ]; tacplus-server { 10.10.1.10 { secret "$OPIUGPB&%$($VVPBUBPI&%(&^vbp76078n"; ## SECRET-DATA source-address 10.122.253.5; } 10.10.8.2 secret "UBP76v0876vtv5g&gvb85g7v9554cvoI&b07"; ## SECRET-DATA } login { message "This computer system is private property. blah blah .. warning. \n "; class operator-local { permissions [ configure firewall interface security view ]; } user engineering { uid 2018; class super-user; } user operations { uid 2020;
2011 Proteus Networks Proteus Elite:HowTo Page | 1

ProteusElite:HowTo
class operator-local; } user peter { uid 2001; class super-user; authentication { encrypted-password "$1$Rpk2vU$yvseF8PpFCa90.u/"; ## SECRET-DATA } } } This configuration has three main parts; the first is that the authentication order includes the TACACS+ server as well as the local database. The use of the local database provides survivability in the case of the loss of the TACACS+ server. It is prudent to have additional users (peter in this example ) that are not part of the TACACS+ groups. The order of the local vs TACACS+ determines which database is searched first. Considering that the actual users are not listed in the local database, the users will not be authenticated locally prior to be verified in the TACACS+ server. For the users that are locally identified (peter in this configuration) the local database is used for authentication, (note: peter in this example is not found in the TACACS+ server. The second part of the configuration is the definition of the TACACS+ server with a secret key and definition of a source address. In our case two servers are defined, both have the same capabilities. The first server is used as the primary. The secret key supports security of the AAA exchanges between the JUNOS device and the TACACS+ server. The source address allows the server to validate the JUNOS device. The third portion of the configuration looks to be normal for login users. A couple of entries define authentication groups rather than individual users (this saves configuration on the TACACS+ server later on). The last user is a normal user with password and class identified. The group login users do not have local passwords. This is not a security risk, as the JUNOS software will not allow the user to access the system without a password. Each user has a class definition associated with it. These classes can be modified with permit and deny command entered into the TACACS+ server. But for our example one class is the default super-user and the second is a custom class called operator-local. The TACACS+ server configuration is per the default configuration for a normal installation. Im not going to go into the detail of setting up the full server only looking at the portions that are specific to the JUNOS implementation.

2011 Proteus Networks

Proteus Elite:HowTo

Page | 2

ProteusElite:HowTo

Figure 1 TACACS+ Network Configuration The first screen ( see Figure 1 ) is the under the network configuration menu. This screen is for the definition of the devices that are using the TACACS+ server for authentication or authorization. In this case we define the management address of the JUNOS device, the security key that was entered. The Network device group of JunOs_SRX is a pull down menu option for the server as is the Authentication option. The remaining options for this client are the default settings.

2011 Proteus Networks

Proteus Elite:HowTo

Page | 3

ProteusElite:HowTo

Figure 2 TACACS+ Group Setup The second screen ( see Figure 2 )that is specific to the JUNOS operation is the group settings. Individual settings can be made, but this increases both the work on the TACACS+ server and the JUNOS device. We choose the easy way out and choose to use groups. The groups are the login users defined on the JUNOS device. Users are associated with their passwords and a TACACS+ group. The groups (as defined for other authentication devices ) are created in the group pages. These groups have attributes that associate them with the JUNOS-exec configuration and the local user group names in the JUNOS device (engineering and operations in our example). The engineering group is identified in the Figure 2. Again the group defaults are used to complete the configuration. From an operational perspective, a user logs in to the JUNOS device, the device looks locally for the user name, when it is not found, the name is sent to the TACACS+ server for AAA functions. The TACACS+ server looks up the user, affiliates them with a group. The TACACS+ server then queries the JUNOS device for the group attributes (authorization rules). Once this is retrieved, the TACACS+ servers authenticates the user and send the authorization attributes to the JUNOS device with the login response. This allows the user access to the permissions given to the group. Conclusion These configurations allow the creation of a set of standard login classes that are assigned to users throughout the enterprise. The same classes and users (user groups in the TACACS+ configuration) are applied to all the Juniper devices. This simplifies the a management process for the devices while maintaining control over users and user access.

2011 Proteus Networks

Proteus Elite:HowTo

Page | 4