Junos OS

Expand all | Collapse all

PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

Jump to Best Answer
  • 1.  PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

    Posted 03-18-2020 11:43

    We have EX4300s and all the devices reject my TACACS+ logon even though TACACS+ (Cisco ACS) reports a successful logon to the Juniper device. PAM records an expired account error message. There is no local account on the switch with the same name. Any user who tries gets the exact same error message.

     


    #PAM
    #EX4300


  • 2.  RE: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

    Posted 03-18-2020 12:12

    Hi theslogan1962,

     

    I hope you are doing great!

     

    Can you please add the following command and let me know:

     

    set system login user remote class super-user

     

    Pablo,



  • 3.  RE: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

    Posted 03-25-2020 08:00

    Thank you Pablo as what you suggested got me to whre I wanted to be!

     

     



  • 4.  RE: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.
    Best Answer

    Posted 03-19-2020 20:48

    Hi ,

     

    Good day !

    I guess the below link will be of great use to you .

     

    https://www.juniper.net/documentation/en_US/junos13.1/topics/example/authentication-configuration-tacacs-radius-password-configuring.html

     

    You need to create a user remote and all the user will get authenticated by TACACS will use that template .

     

    Error is cause the user is successfully getting authenticated by TACACS but there is no remote profile hence your unable to login into the switch .

     

    If the issue still persists , you can provide the configuration we can have a check .



  • 5.  RE: PAM rejecting logon with expired after TACACS+ (Cisco ACS) records a successful logon to EX4300 device.

    Posted 03-25-2020 07:59

    Thank you as what you showed me fixed the problem.