I did not look at pathfinder but did get a chance to look at 21, 22 code on 4300mp, 4650, 5100 and no ldap for an authentication-order option !.
This would be a great ER for sales team / SE to put in for..
Going back to you reason to move to ldap . Im not here to change your mind as I too put that down on my road map to start looking at.
I only bring this up as a lot of other devices only support tac or radius.
I have stuck with Fedora do to Amazon Linux 2 being a "clone" Redhat/Centos7 and Amazon Linux 2023 i think is built from Fedora 35 . I have even in the past pulled and compiled tacacs and trust me .. If I can do it anyone can .
https://packages.fedoraproject.org/pkgs/tacacs/tacacs-extra/
Original Message:
Sent: 07-19-2023 05:15
From: BegBlev
Subject: Centralized authentication
I knew about this article,
Unfortunatly it seems to be available only for SRX devices.
On our QFX5120 with up to date firmware version... it is not available :(
Thank you
Original Message:
Sent: 07-18-2023 09:53
From: tgreaser
Subject: Centralized authentication
You may just need to update your version of Junos to support ldaps
https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-ldaps-authentication.html
As for packages of TACACS+
https://pkgs.org/download/tacacs
Original Message:
Sent: 07-17-2023 04:43
From: BegBlev
Subject: Centralized authentication
Hello,
In the lab I work we have a FreeIPA instance in order to authenticate users login into our devices.
For our servers... no problem, all the BMCs are using LDAP authentication.
For our Juniper devices this is not so obvious.
FreeIPA offers LDAP and Kerberos, Junos proposes TACACS+ or RADIUS.
A few years ago we choosed TACACS+ as it looks a bit more "secure".
Hence we setup a LDAP/TACACS+ proxy. This proxy, based on Ubuntu 18.04 LTS is running tac_plus server offering a TACACS+ frontend to our Junos devices and using LDAP authentication (based on PAM) from our FreeIPA server.
It works fine but, unfortunatly, tac_plus server does not seem to be activelly maintained and new versions of Linux (Ubuntu, Debian...) are not embedding the package anymore.
We are looking for a more "futureproof" solution.
I would like to know/share your solutions/experiences.
Thanks a lot
Vince