Juniper SSG and Cisco ACS v5.x Configuration
I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1
set auth-server CiscoACSv5 server-name 192.168.1.100
set auth-server CiscoACSv5 account-type admin
set auth-server CiscoACSv5 type tacacs
set auth-server CiscoACSv5 tacacs secret CiscoACSv5
set auth-server CiscoACSv5 tacacs port 49
set admin auth server CiscoACSv5
set admin auth remote primary
set admin auth remote root
set admin privilege get-external
Configure the Cisco ACS v5.x (GUI)
1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Create the Juniper Shell Profile.
Click the [Create] button at the bottom of the page
Select the General tab
Name: Juniper
Description: Custom Attributes for Juniper SSG320M
Select the Custom Attributes tab
Add the vsys attribute:
Attribute: vsys
Requirement: Manadatory
Value: root
Click the [Add^] button above the Attribute field
Add the privilege attribute:
Attribute: privilege
Requirement: Manadatory
Value: root
Note: you can also use 'read-write' but then local admin doesn't work correctly
Click the [Add^] button above the Attribute field
Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
Create the Juniper Authorization Policy and filter by Device IP Address.
Click the [Customize] button at the bottom Right of the page
Under Customize Conditions, select Device IP Address from the left window
Click the [>] button to add it
Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule
Under General, name the new rule Juniper, and ensure it is Enabled
Under Conditions, check the box next to Device IP Address
Enter the ip address of the Juniper (192.168.1.100)
Under Results, click the [Select] button next to the Shell Profile field
Select 'Juniper' and click the [OK] button
Under Results, click the [Select] button below the Command Sets (if used) field
Select 'Permit All' and ensure all other boxes are UNCHECKED
Click the [OK] button to close the window
Click the [OK] button at the bottom of the page to close the window
Check the box next to the Juniper policy, then move the policy to the top of the list
Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.
Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.
Similar Messages
-
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3
does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
ciscoISE/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
ciscoISE/admin(config)# snmp-server
Ciscoacs/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
Ciscoacs/admin(config)# snmp-serverNo support SNMP v3 on ISE v1.2 and 1.3 except for profilling
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30 -
ACE 4700 and Cisco ACS aaa authentication
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
<A.B.C.D> TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)#
Why am I getting this error? I have full
connectivity between the ACE and the ACS
server. Furthermore, the ACS server
works fine with other Cisco IOS devices.
Please help. Thanks.Thanks. Now I have another problem. I CAN
log into the ACE via tacacs+ account(s).
However, I get error when I try going into
configuration mode:
ACE-lab login: ngx1
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
ACE-lab/Admin# conf t
^
% invalid command detected at '^' marker.
ACE-lab/Admin#
The ngx1 account can access other Cisco
routers/switches just fine and can go into
enable mode just fine. Only issue on the ACE.
Any ideas? Thanks. -
hi,
I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
Any ideas?here is some debug from the router:
Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
Feb 24 12:28:58.989 UTC: T+: user: vpntest
Feb 24 12:28:58.989 UTC: T+: port:
Feb 24 12:28:58.989 UTC: T+: rem_addr:
Feb 24 12:28:58.989 UTC: T+: data:
Feb 24 12:28:58.989 UTC: T+: End Packet
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Feb 24 12:28:59.009 UTC: T+: msg: Password:
Feb 24 12:28:59.009 UTC: T+: data:
Feb 24 12:28:59.009 UTC: T+: End Packet
s9990-cr#
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
In the VPN Client log it say "User does not provide any authentication data"
So to summarise:
-Same ACS server\router\username combination works fine for telnet access.
-VPN works fine with local authentication.
-No login failures showing in the ACS logs. -
Cisco ACS 1121 server configuration
Hi,
Anyone can tell me how to configure LAN teaming in Cisco ACS 1121. My requirement is to have virtual IP in the server with two physical IPs in the available 2 interface in the server.
Regards,
Haja Shajahan.MCurrently Gig 0 is supported. Gig 1 is blocked. Check this link ((Blocked) Gigabit Ethernet 1).
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_hw_ins.html#wp1119105
Paps -
Border Manager and Cisco ACS connection
The NIC in the Border Manager server failed.
I installed a new NIC and gave it the same IP address and mask as the old
one. The lights on the NIC's in both boxes are green but I cannot ping one
from the other. They are connected with a cross-over cable
I was told I would have to set up a 'route' - help please.
The person who would normally set this up is sun bathing on an island
somewhere in the Indian Ocean.> > In article <LShvd.6367$[email protected]>, wrote:
> > > The NIC in the Border Manager server failed.
> >
> > Which NIC? The public side, or the private side?
> >
> > > I installed a new NIC and gave it the same IP address and mask as
the
> old
> > > one.
> >
> > If this was on the public side, did you also rename the interface the
> same as
> > the old one? (If not, your filters may fail to filter).
> >
> > > The lights on the NIC's in both boxes are green but I cannot ping
one
> > > from the other. They are connected with a cross-over cable
> >
> > UNLOAD IPFLT (drops filters) for a test. If you did everything right,
> the
> > default filters may be blocking ICMP, and so you would normally not be
> able
> > to ping.
> >
> > > I was told I would have to set up a 'route' - help please.
> >
> > Seems unlikely. Changing a nic will not normally change any
configured
> > static routes, as they are stored in a separate file.
> >
> > > The person who would normally set this up is sun bathing on an
island
> > > somewhere in the Indian Ocean.
> >
> > Must be nice!
> >
> >
> > Craig Johnson
> > Novell Support Connection SysOp
> > *** For a current patch list, tips, handy files and books on
> > BorderManager, go to http://www.craigjconsulting.com ***
> >
>
> The card that I replaced in the Border Manager server had a 192.168.x.x
> address, connected to the card in the ACS box with a cross-over cable.
The
> card in the ACS box is also a 192.168.x.x address. I have a route set up
> to the 192.168.101.0 network specifying the ACS box address as the next
> hop.
> Mike
>
Problem solved, the card has blown in the ACS box. -
VPN between Juniper ScreenOS and Cisco issue
We are facing the issue between cisco and juniper after implementing GRE over IPSec with OSPF. According to Juniper the packets sending from one Branch to another are not encapsulated by Cisco. Below attached are the logs of cisco. As i am reading the forums over internet, most of them recommended to create Static VTI between cisco and juniper.
Is Static VTI are recommaded or not ?
We have 400 Branch offices, each Branches has point to point GRE Tunnel, can we use single VTI Profile and apply on all 400 Tunnel interfaces or its has some limitation?
Can we enable netflow on Static VTI
Can we pass Voice Traffic over it.
Qos also implemented over it.
Can we apply rate limit over it.
All Traffic will be encrypted. ACL limitation ( permit ip any any)From the output of show cry ipsec sa, the encrypts are a lot more than decrypts, which means traffic is actually getting encrypted and getting sent through the VPN tunnel, and reply is probably not getting back towards the 2801 router.
Can you check the output on the Linksys as well. And also make sure that the Linksys end knows how to route back towards the 2800 router. -
Anyone know if Cisco AP 1200 running Cisco IOS support the "Downloadable ACL's" via Cisco Access Control Server? I suppose they would since other IOS devices support this feature.
I think Downloadable ACLs are supported by IOS APs.
-
Cisco ACS 5.1 Tacacs with Juniper Srx 210
Hi all,
I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1Hello Pranav
As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
Please rate if it helps. Kind regards -
Integration Of Cisco ACS and MS Active Directory !!!
Hi all,
We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
Thanks for your help
Regards!!!
Rafael TurriagoHi,
If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
The Remote Agent is the application responsible to exchange data with the DCs.
You can find detailed information in the config guide:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Juniper SSG TACACS+ Integration with ACS 5
Hi,
I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
Please advice,
Cheers,
RyanI was able to config SSG authenticate using RADIUS. In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper. Attach the dictionary.
I'm not sure how to import, but I create the dictionary manually. -
[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid
Hi,
I got many Cisco AP which are linked to 2 Cisco WLC.
On each WLC, I configured a primary and a secondary RADIUS Server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
Primary and secondary ACS configurations are synchronized.
There are no problem between primary WLC and Cisco ACS (primary and secondary).
When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
The two Cisco ACS are synchronized so I should have same error on them...
Why does primary ACS generate this error?
Thanks for your help,
PatrickTarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
*Please rate helpful posts*
Yes. That is a good point.
With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
Rating useful replies is more useful than saying "Thank you" -
802.1x with alcatel phone with cisco acs 5.0
Hi All, can any one has done the implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.
when trunk mode is enabled I can not configure 802.1x on trunk interface. does any one help me to get rid of this situation..
ThanksHi,
Did you find any solution?. Did you tried with the command switchport voice vlan?.
Regards,
Mauricio -
Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+
Hello,
Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
Thanks in Advance.Hi Eduardo,
Can you tell me how to map ACS 4.2?
service=junos-exec
local-user-name=Engineering
Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
Also, I'd like to see where I'd map this on ACS 5.2. Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
local-user-name=opertions
allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))
Maybe you are looking for
-
Account Hacked, Fraudulent charges, and NO WAY TO ...
Skype, Over the last two days someone has hacked into my account, sending more than 1200 SMS messages to people in the Netherlands, Luxembourg, and other parts of Europe. This drained whatever remained in my account, and then auto-filled 6 times for
-
I recently bought VGA splitter, that's 14 pin. My VGA cable is 15 pin. After connecting the Cable to the splitter the monitor resolution goes down, then if the VGA cable is directly connected to the PC vga adapter. So, I looked online to see diffrenc
-
How to get name of batch file/shell script that starts program?
I don't think there's a way to do it, but I'm asking the question anyway... of course, the startup script could pass its name as a parameter to the Java program, but I was wondering if the information could be determined "directly," via Java code. Th
-
How does the net invoice differs from gross invoice? How the exchange rates are maintained and where they are maintained? Edited by: Ashutosh Kul on Jan 13, 2008 9:04 PM
-
How to cut/split MPEG4 video in my program?
Hi, I am finding for a Java API function, I need this function can cut a segment of MPEG4 Video from a big whole MPEG4 video, and I can set the start time and the end time of cutting video,such as : "cutVideo(startTime,endtime)", for example,the valu