Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Juniper SSG and Cisco ACS v5.x

    Posted 01-26-2012 09:35

    I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.

     

    Title:  Configuration Example - Juniper SSG and Cisco ACS v5.x

     

    Product:  Juniper SSG320M        (Cisco ACS v5.x)

    Version:  ScreenOS 6.3.0r10.0    (Cisco ACS v5.2.0.26.8)

     

    Network Topology:

          [Juniper SSG320M]-----[Cisco 3560 Switch]-----[Cisco ACS VM]

     

    Description:

         Purpose - Authenticate SSG administrators using TACACS+ instead of local logins

         Description - This configuration is for Cisco ACS v5.x, JTAC only had the v3.3 configuration.

                                 ACS v5.x is a Linux-based VM with a completely new user interface and structure.

     

    Configuration:

      Configure the Juniper (CLI)

      1. Add the Cisco ACS and TACACS+ configuration

         set auth-server CiscoACSv5 id 1
         set auth-server CiscoACSv5 server-name 192.168.1.100
         set auth-server CiscoACSv5 account-type admin
         set auth-server CiscoACSv5 type tacacs
         set auth-server CiscoACSv5 tacacs secret CiscoACSv5
         set auth-server CiscoACSv5 tacacs port 49
         set admin auth server CiscoACSv5
         set admin auth remote primary
         set admin auth remote root
         set admin privilege get-external

     

      Configure the Cisco ACS v5.x (GUI)
      1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
            Create the Juniper Shell Profile. 
            Click the [Create] button at the bottom of the page
                    Select the General tab
                            Name:    Juniper
                            Description:  Custom Attributes for Juniper SSG320M
                    Select the Custom Attributes tab

                        Add the vsys attribute:
                            Attribute:                vsys
                            Requirement:       Manadatory 
                            Value:                    root
                            Click the [Add^] button above the Attribute field

                        Add the privilege attribute:

                            Attribute:                privilege
                            Requirement:       Manadatory 
                            Value:                    root

                                    Note: you can also use 'read-write' but then local admin doesn't work correctly
                            Click the [Add^] button above the Attribute field
                    Click the [Submit] button at the bottom of the page

     

      2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
            Create the Juniper Authorization Policy and filter by Device IP Address.
            Click the [Customize] button at the bottom Right of the page
                    Under Customize Conditions, select Device IP Address from the left window
                            Click the [>] button to add it
                    Click the [OK] button to close the window

     

                    Click the [Create] button at the bottom of the page to create a new rule
                            Under General, name the new rule Juniper, and ensure it is Enabled
                            Under Conditions, check the box next to Device IP Address
                                    Enter the ip address of the Juniper (192.168.1.100)
                            Under Results, click the [Select] button next to the Shell Profile field
                                    Select 'Juniper' and click the [OK] button
                            Under Results, click the [Select] button below the Command Sets (if used) field
                                    Select 'Permit All' and ensure all other boxes are UNCHECKED
                            Click the [OK] button to close the window
                    Click the [OK] button at the bottom of the page to close the window
                    Check the box next to the Juniper policy, then move the policy to the top of the list
                    Click the [Save Changes] button at the bottom of the page

     

    Verification:  

      Login to the Juniper CLI and GUI using an ACS Internal User account, and attempt to change something to verify privilege level.

     


    #netscreen
    #SSG
    #CiscoACS
    #tacacs


  • 2.  RE: Juniper SSG and Cisco ACS v5.x
    Best Answer

    Posted 01-26-2012 14:26