Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Title: Configuration Example - Juniper SSG and Cisco ACS v5.x
Product: Juniper SSG320M (Cisco ACS v5.x)
Version: ScreenOS 6.3.0r10.0 (Cisco ACS v220.127.116.11.8)
[Juniper SSG320M]-----[Cisco 3560 Switch]-----[Cisco ACS VM]
Purpose - Authenticate SSG administrators using TACACS+ instead of local logins
Description - This configuration is for Cisco ACS v5.x, JTAC only had the v3.3 configuration.
ACS v5.x is a Linux-based VM with a completely new user interface and structure.
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1 set auth-server CiscoACSv5 server-name 192.168.1.100 set auth-server CiscoACSv5 account-type admin set auth-server CiscoACSv5 type tacacs set auth-server CiscoACSv5 tacacs secret CiscoACSv5 set auth-server CiscoACSv5 tacacs port 49 set admin auth server CiscoACSv5 set admin auth remote primary set admin auth remote root set admin privilege get-external
Configure the Cisco ACS v5.x (GUI) 1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles Create the Juniper Shell Profile. Click the [Create] button at the bottom of the page Select the General tab Name: Juniper Description: Custom Attributes for Juniper SSG320M Select the Custom Attributes tab
Add the vsys attribute: Attribute: vsys Requirement: Manadatory Value: root Click the [Add^] button above the Attribute field
Add the privilege attribute:
Attribute: privilege Requirement: Manadatory Value: root
Note: you can also use 'read-write' but then local admin doesn't work correctly Click the [Add^] button above the Attribute field Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization Create the Juniper Authorization Policy and filter by Device IP Address. Click the [Customize] button at the bottom Right of the page Under Customize Conditions, select Device IP Address from the left window Click the [>] button to add it Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule Under General, name the new rule Juniper, and ensure it is Enabled Under Conditions, check the box next to Device IP Address Enter the ip address of the Juniper (192.168.1.100) Under Results, click the [Select] button next to the Shell Profile field Select 'Juniper' and click the [OK] button Under Results, click the [Select] button below the Command Sets (if used) field Select 'Permit All' and ensure all other boxes are UNCHECKED Click the [OK] button to close the window Click the [OK] button at the bottom of the page to close the window Check the box next to the Juniper policy, then move the policy to the top of the list Click the [Save Changes] button at the bottom of the page
Login to the Juniper CLI and GUI using an ACS Internal User account, and attempt to change something to verify privilege level.
Very nice, you should post this into the Configuration Library forum.