Cisco ACS 5.1 Tacacs with Juniper Srx 210
Hi all,
I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1
Hello Pranav
As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
Please rate if it helps. Kind regards
Similar Messages
-
Does cisco ACS hardware run TACACS+ ?
hi all
I am very new to the security,
my question is , does cisco ACS devices run TACACS+ ?
or TACACS+ has to be installed in windows/linux ?
thank youThe below listed link will help you to configure tacacs authentication/authorization and also help you to integrate ACS with Active directory.
ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example
Regards,
Jatin Katyal
*Do rate helpful posts* -
Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003
How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks
You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
Let me know if you have any doubts.
Regards,
Jatin -
Cisco WCS 7.x TACACS+ with ACS 5.2
Ok, so I took my bday off today so I could stay home and setup my lab for ie v2 and have the birthday wish of 'leave daddy alone for awhile' come true. Here we are at 7:00pm and everything is flowing good including my blue moons and I decided to get tacacs working on an eval version of acs 5.2 per the ie list of lab equipment. frack me. Instead of walking away and coming back later and going 'doh!', I'm going to whine instead....
So I'm trying to get WCS to work with TACACS per this document:
http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0admin.html#wp1191980
However, after having to enter EVERY SINGLE TASK, once you get down to:
Creating Service Selection Rules for TACACS
To create service selection rules for TACACS, perform the following steps:
Step 1 Choose Access Policies > Access Services > Service Selection Rules.
Step 2 Click Create.
Step 3 Select the protocol as TACACS and Service as Default Device Admin (see Figure 18-49).
I'm alittle confused as to where it wants me to do click 'Create' at. I of course did the 'hunt and peck' method and the only place I see where there is a 'create' buttong is under
Access Policies >
Access Services >
Default Device Admin >
Authorization
but it's grayed out. Someone wanna tell me what the crap.. and really, why 5.2 cisco.. why.Yeah, I've heard that, but in trying to stick with the IE list of used equipment/software I'm going for 5.2. I've learned it's best to stick with the list so that you are not only familliar with that exact software, but that exact versions 'issues' as well. No panic in the lab from ACS going NO NO NO, NOT IN MY HOUSE.
-
ACS 5.3 authorization with Juniper WXC-3400
In the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS 4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3 tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
A capture shows Auth Status: 0x11 (ERROR).
Any ideas?
Thanks in advance!No. Time Source Destination VLAN Protocol Info
18 09:14:00.268166580 WX_Juniper ACS_5_3 TACACS+ Q: Authorization
Frame 18: 107 bytes on wire (856 bits), 107 bytes captured (856 bits)
Ethernet II, Src: Cisco_cd:46:af (00:07:7d:cd:46:af), Dst: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63)
Internet Protocol, Src: WX_Juniper (WX_Juniper), Dst: ACS_5_3 (ACS_5_3)
Transmission Control Protocol, Src Port: l2c-control (4371), Dst Port: tacacs (49), Seq: 1, Ack: 1, Len: 49
TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 1
Flags: 0x04 (Encrypted payload, Single connection)
Session ID: 1491582254
Packet length: 37
Encrypted Request
Decrypted Request
Auth Method: TACACSPLUS
Privilege Level: 1
Authentication type: ASCII
Service: Login
User len: 8
User: stmartin
Port len: 7
Port: console
Remaddr len: 0
Arg count: 1
Arg[0] length: 13
Arg[0] value: service=shell
No. Time Source Destination VLAN Protocol Info
20 09:14:00.271608140 ACS_5_3 WX_Juniper TACACS+ R: Authorization
Frame 20: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Ethernet II, Src: Ibm_fe:9a:63 (5c:f3:fc:fe:9a:63), Dst: Cisco_cd:46:af (00:07:7d:cd:46:af)
Internet Protocol, Src: ACS_5_3 (ACS_5_3), Dst: WX_Juniper (WX_Juniper)
Transmission Control Protocol, Src Port: tacacs (49), Dst Port: l2c-control (4371), Seq: 1, Ack: 50, Len: 18
TACACS+
Major version: TACACS+
Minor version: 0
Type: Authorization (2)
Sequence number: 2
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 1491582254
Packet length: 6
Encrypted Reply
Decrypted Reply
Auth Status: 0x11 (ERROR)
Server Msg length: 0
Data length: 0
Arg count: 0 -
Cisco ACS 4.2 TACACS+ Administration report - Help!
we had some switches mysteriously reloaded. Upon investigation, TACACS+ Administration report show no user login to the device, no command was issued, and the reason = reload.
how could this happen?Guna,
Tacacs+ Does not use VSAs.
Radius uses VSAs.
This is what I found online:
http://198.152.212.23/css/P8/documents/100106731
See if this helps.
It has an example associated for server configuration.
In ACS 4, you need to use the shell exec and priv-lvl=<value>.
(Similar to Cisco IOS)
Regards
Ed -
Cisco ACS register to primary with different acs versions
Hello, I've updated a backup unit of two acs to version 5.4.0.46.0a first I changed it to standalone, and now I try to register to the main ACS which is running version 5.1.0.44.2
And I get this error
This System Failure occurred: com.cisco.nm.acs.im.certificate.Certificate; local class incompatible: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved.Click OK to return to the list page.
What can I do to solve it?
Kind regardsThe primary and secondary should be running on the same code.
Jatin Katyal
- Do rate helpful posts - -
Cisco ACS 4.2 integration with Active Directory
Hello,
I´m new in the administration of ACS, we have recently implemented on server ACS version 4.2
for manager all users authorization for our Network.
We are in one environement which have an Active Directory, group and users.
Now, i´m just able to creat a new user in ACS and work with on the Client SWITCH, what i need to do, is to integrate my ACS 4.2 with Active Directory.
for work with the user and Group that a register in my AD.
Someon can help me please?You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
Let me know if you have any doubts.
Regards,
Jatin -
Juniper SSG and Cisco ACS v5.x Configuration
I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1
set auth-server CiscoACSv5 server-name 192.168.1.100
set auth-server CiscoACSv5 account-type admin
set auth-server CiscoACSv5 type tacacs
set auth-server CiscoACSv5 tacacs secret CiscoACSv5
set auth-server CiscoACSv5 tacacs port 49
set admin auth server CiscoACSv5
set admin auth remote primary
set admin auth remote root
set admin privilege get-external
Configure the Cisco ACS v5.x (GUI)
1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Create the Juniper Shell Profile.
Click the [Create] button at the bottom of the page
Select the General tab
Name: Juniper
Description: Custom Attributes for Juniper SSG320M
Select the Custom Attributes tab
Add the vsys attribute:
Attribute: vsys
Requirement: Manadatory
Value: root
Click the [Add^] button above the Attribute field
Add the privilege attribute:
Attribute: privilege
Requirement: Manadatory
Value: root
Note: you can also use 'read-write' but then local admin doesn't work correctly
Click the [Add^] button above the Attribute field
Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
Create the Juniper Authorization Policy and filter by Device IP Address.
Click the [Customize] button at the bottom Right of the page
Under Customize Conditions, select Device IP Address from the left window
Click the [>] button to add it
Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule
Under General, name the new rule Juniper, and ensure it is Enabled
Under Conditions, check the box next to Device IP Address
Enter the ip address of the Juniper (192.168.1.100)
Under Results, click the [Select] button next to the Shell Profile field
Select 'Juniper' and click the [OK] button
Under Results, click the [Select] button below the Command Sets (if used) field
Select 'Permit All' and ensure all other boxes are UNCHECKED
Click the [OK] button to close the window
Click the [OK] button at the bottom of the page to close the window
Check the box next to the Juniper policy, then move the policy to the top of the list
Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server. -
Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+
Hello,
Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
Thanks in Advance.Hi Eduardo,
Can you tell me how to map ACS 4.2?
service=junos-exec
local-user-name=Engineering
Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
Also, I'd like to see where I'd map this on ACS 5.2. Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
local-user-name=opertions
allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *)) -
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???
Hi All,
I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
Thanks!I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
1. Create a End Station Filter, here configure the user's IP
2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
3. Define your rule with the required result -
Unable to integrate WLC with cisco ACS
Hi,
I am not able to integrate Cisco Tacas with WLC
Below are the error logs in Juniper firewall
WLC IP: 10.210.126.133
Cisco ACS: 10.116.45.131
Date/Time
Source Address/Port
Destination Address/Port
Translated Source Address/Port
Translated Destination Address/Port
Service
Duration
Bytes Sent
Bytes Received
Close Reason
2013-11-04 16:31:03
10.210.126.133:49098
10.116.45.131:49
10.210.126.133:49098
10.116.45.131:49
TCP PORT 49
2 sec.
591
428
Close - TCP FIN
2013-11-04 16:31:03
10.210.126.133:51759
10.116.45.131:49
10.210.126.133:51759
10.116.45.131:49
TCP PORT 49
2 sec.
525
326
Close - TCP FIN
2013-11-04 16:31:09
10.210.126.133:51759
10.116.45.131:49
10.210.126.133:51759
10.116.45.131:49
TCP PORT 49
9 sec.
475
238
Close - TCP FIN
2013-11-04 16:31:09
10.210.126.133:49098
10.116.45.131:49
10.210.126.133:49098
10.116.45.131:49
TCP PORT 49
9 sec.
519
318
Close - TCP FIN
Pls suggest further whether any changes needs to be done in any end
Cisco ACS Srver
11/04/2013
16:31:01
Author failed
ads.shalder
DCN-BANG2&BANG5-RW
127.0.0.1
Service denied
service=ciscowlc protocol=common
10.210.126.133
ads.shalder
No
1
10.210.126.133
Pls suggest further
Br/SubhojitHi,
we are getting this error on WLC side debug
(Cisco Controller) >*tplusTransportThread: Nov 05 09:51:32.683: Forwarding request to 10.116.45.131 port=49
*tplusTransportThread: Nov 05 09:51:32.689: tplus auth response: type=1 seq_no=2 session_id=5b675ca1 length=16 encrypted=0
*tplusTransportThread: Nov 05 09:51:32.689: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Nov 05 09:51:32.689: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Nov 05 09:51:32.689: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 05 09:51:32.700: tplus auth response: type=1 seq_no=4 session_id=5b675ca1 length=6 encrypted=0
*tplusTransportThread: Nov 05 09:51:32.700: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Nov 05 09:51:32.700: Forwarding request to 10.116.45.131 port=49
*tplusTransportThread: Nov 05 09:51:32.705: author response body: status=16 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Nov 05 09:51:32.705: Tplus authorization for ads.shalder failed status=16
WLC hardware is: AIR-CT2504-K9V01
Br/Subhojit -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
Dear all,
Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password" but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
Best regards,
PiotrIf this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
I am sorry if I am not able to help but I am not using the anyconnect for production.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
Maybe you are looking for
-
i put my 3g i phone on charge with usb cable there was a message for updating i click on that my phone stop working even i could not fix with online troubleshoot
-
Hi i am new to the j2me tehnology.But i have been working in the j2ee tehnologies for last one year.In my appliacation we want to have mobile features like if any insertion occuerd in our data base we are showing those appoinments in the jsp.But thos
-
CF8 Multiserver IIS6-Jrun Broken Images
Hello All We have run into a problem with the multiserver install of CF8 Enterprise Edition. I would appreciate any insight into it. Server details: Web Servers IIS 6.0 on Windows 2003 Server Use the JRun connector to communicate with CF servers (.cf
-
Schema Validation of Incoming Message
Why XI does not validate incoming messages using its XML Schema? Is there a simple way to do it? (without developpping) Thanks to advance
-
OIM - starting two process tasks simultaneously
Hello, I have a process definition with many process tasks. If a certain trigger/event happens (eg. Change Last Name) I want to run two particular process tasks. How do I achieve this? My guess was to use the option to generate new tasks based on the