Junos OS

Hello,

In the lab I work we have a FreeIPA instance in order to authenticate users login into our devices.

For our servers... no problem, all the BMCs are using LDAP authentication.

For our Juniper devices this is not so obvious.

FreeIPA offers LDAP and Kerberos, Junos proposes TACACS+ or RADIUS.

A few years ago we choosed TACACS+ as it looks a bit more "secure".

Hence we setup a LDAP/TACACS+ proxy. This proxy, based on Ubuntu 18.04 LTS is running tac_plus server offering a TACACS+ frontend to our Junos devices and using LDAP authentication (based on PAM) from our FreeIPA server.

It works fine but, unfortunatly, tac_plus server does not seem to be activelly maintained and new versions of Linux (Ubuntu, Debian...) are not embedding the package anymore.

We are looking for a more "futureproof" solution.

I would like to know/share your solutions/experiences.

Thanks a lot

Vince

You may just need to update your version of Junos to support  ldaps 

https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-ldaps-authentication.html

As for packages of TACACS+

https://pkgs.org/download/tacacs

Hello,

In the lab I work we have a FreeIPA instance in order to authenticate users login into our devices.

For our servers... no problem, all the BMCs are using LDAP authentication.

For our Juniper devices this is not so obvious.

FreeIPA offers LDAP and Kerberos, Junos proposes TACACS+ or RADIUS.

A few years ago we choosed TACACS+ as it looks a bit more "secure".

Hence we setup a LDAP/TACACS+ proxy. This proxy, based on Ubuntu 18.04 LTS is running tac_plus server offering a TACACS+ frontend to our Junos devices and using LDAP authentication (based on PAM) from our FreeIPA server.

It works fine but, unfortunatly, tac_plus server does not seem to be activelly maintained and new versions of Linux (Ubuntu, Debian...) are not embedding the package anymore.

We are looking for a more "futureproof" solution.

I would like to know/share your solutions/experiences.

Thanks a lot

Vince

I knew about this article,

Unfortunatly it seems to be available only for SRX devices.

On our QFX5120 with up to date firmware version... it is not available :(

Thank you

You may just need to update your version of Junos to support  ldaps 

https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-ldaps-authentication.html

As for packages of TACACS+

https://pkgs.org/download/tacacs

Hello,

In the lab I work we have a FreeIPA instance in order to authenticate users login into our devices.

For our servers... no problem, all the BMCs are using LDAP authentication.

For our Juniper devices this is not so obvious.

FreeIPA offers LDAP and Kerberos, Junos proposes TACACS+ or RADIUS.

A few years ago we choosed TACACS+ as it looks a bit more "secure".

Hence we setup a LDAP/TACACS+ proxy. This proxy, based on Ubuntu 18.04 LTS is running tac_plus server offering a TACACS+ frontend to our Junos devices and using LDAP authentication (based on PAM) from our FreeIPA server.

It works fine but, unfortunatly, tac_plus server does not seem to be activelly maintained and new versions of Linux (Ubuntu, Debian...) are not embedding the package anymore.

We are looking for a more "futureproof" solution.

I would like to know/share your solutions/experiences.

Thanks a lot

Vince

Hello,

In the lab I work we have a FreeIPA instance in order to authenticate users login into our devices.

For our servers... no problem, all the BMCs are using LDAP authentication.

For our Juniper devices this is not so obvious.

FreeIPA offers LDAP and Kerberos, Junos proposes TACACS+ or RADIUS.

A few years ago we choosed TACACS+ as it looks a bit more "secure".

Hence we setup a LDAP/TACACS+ proxy. This proxy, based on Ubuntu 18.04 LTS is running tac_plus server offering a TACACS+ frontend to our Junos devices and using LDAP authentication (based on PAM) from our FreeIPA server.

It works fine but, unfortunatly, tac_plus server does not seem to be activelly maintained and new versions of Linux (Ubuntu, Debian...) are not embedding the package anymore.

We are looking for a more "futureproof" solution.

I would like to know/share your solutions/experiences.

Thanks a lot

Vince