Configure TACACS+ Authentication

To use TACACS+ authentication on the router, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement at the [edit system] hierarchy level:

[edit system]

tacplus-server server-address {

    secret password; 

    single-connection; 

    timeout seconds; 

}

In server-address, specify the address of the TACACS+ server.

You must specify a secret (password) that the local router passes to the TACACS+ client by including the secret statement. Secrets can contain spaces. The secret used by the local router must match that used by the server.

You can optionally specify the length of time that the local router waits to receive a response from a TACACS+ server by including thethe timeout statement. By default, the router waits 3 seconds. You can configure this to be a value in the range 1 through 90 seconds.

You can optionally have the software maintain one open TCP connection to the server for multiple requests, rather than opening a connection for each connection attempt by including the single-connection statement.

Early versions of the TACACS+ server do not support the single-connection option. If you specify this option and the server does not support it, the JUNOS software will be unable to communicate with that TACACS+ server.

To configure multiple TACACS+ servers, include multiple tacplus-server statements.

To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Configure Template Accounts for RADIUS and TACACS+ Authentication.

Configure Juniper Networks-Specific TACACS+ Attributes

The TACACS attributes listed in Table 10 are specific to Juniper Networks. They are specified in the TACACS+ server configuration file on a per-user basis. The JUNOS software retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. You do not need to configure these attributes to run JUNOS with TACACS+.

To specify these attributes, include a service statement in the TACACS+ server configuration file of the following form:

service = junos-exec {

    local-user-name = <username-local-to-router>

    allow-commands = "<allow-commands-regexp>"

    allow-configuration = "<allow-configuration-regexp>"

    deny-commands = "<deny-commands-regexp>"

    deny-configuration = "<deny-configuration-regexp>"

}

This service statement can appear in a user or group statement.

Table 10: Juniper Networks-Specific TACACS+ Attributes

Name	Description	Length	String
local-user-name	Indicates the name of the user template used by this user when logging into a device.	3	One or more octets containing printable ASCII characters.
allow-commands	Contains an extended regular expression that allows the user to run operational mode commands in addition to those commands authorized by the user's login class permission bits.	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.
deny-commands	Contains an extended regular expression that denies the user permission to run operational mode commands authorized by the user's login class permission bits.	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.
allow-configuration	Contains an extended regular expression that allows the user to run configuration mode commands in addition to those commands authorized by the user's login class permission bits.	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.
deny-configuration	Contains an extended regular expression that denies the user permission to run configuration mode commands authorized by the user's login class permission bits.	3	One or more octets containing printable ASCII characters, in the form of an extended regular expression.