JUNOS – Authentication using TACACS+

Posted on April 3, 2009 by halli

Juniper M7i – JUNOS 9.3R2.8

The username must be set to “remote”.

#edit system
set login user remote class super-user
set login user remote full-name “TACACS+ remote User”
set login user remote uid 3333
set accounting events [ login interactive-commands ] destination tacplus

set authentication-order [ tacplus password ]
set tacplus-server 10.20.30.22 source-address 10.20.30.11 port 49 secret xxxxxxxx

if you use a filter to protect the RE apply a rule for tacacs+

#edit firewall filter protect-RE term tacacs
set firewall filter protect-RE term tacacs from source-prefix-list mgmnt-access
set firewall filter protect-RE term tacacs from protocol tcp
set firewall filter protect-RE term tacacs from port tacacs
set firewall filter protect-RE term tacacs then accept

set policy-options prefix-list mgmnt-access 10.20.30.0/25
set policy-options prefix-list mgmnt-access 20.30.40.0/24

# show interfaces lo0
unit 0 {
family inet {
filter {
input protect-RE;
}
address 127.0.0.1/8;
address 10.20.30.11/32;
}
}

This entry was posted in JUNOS, Networking and tagged , , . Bookmark the permalink.

Comments are closed.