Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring TACACS+ Authentication

    TACACS+ authentication is a method of authenticating users who attempt to access the router or switch. Tasks to configure TACACS+ configuration are:

    Configuring TACACS+ Server Details

    To use TACACS+ authentication on the router or switch, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement at the [edit system] hierarchy level:

    [edit system]
    tacplus-server server-address {
    port port-number;
    routing-instance routing-instance;
    secret password;
    single-connection;
    timeout seconds;
    }

    server-address is the address of the TACACS+ server.

    port-number is the TACACS+ server port number.

    routing-instance routing-instance is the name of the management instance (mgmt_junos). For more information on this option, see Configuring TACACS+ To Use the Management Instance.

    You must specify a secret (password) that the local router or switch passes to the TACACS+ client by including the secret statement. If the password included spaces, enclose the password in quotation marks. The secret used by the local router or switch must match that used by the server.

    Optionally, you can specify the length of time that the local router or switch waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.

    Optionally, you can have the software maintain one open Transmission Control Protocol (TCP) connection to the server for multiple requests, rather than opening a connection for each connection attempt by including the single-connection statement.

    Note: Early versions of the TACACS+ server do not support the single-connection option. If you specify this option and the server does not support it, the Junos OS will be unable to communicate with that TACACS+ server.

    To configure multiple TACACS+ servers, include multiple tacplus-server statements.

    On a TX Matrix router, TACACS+ accounting should be configured only under the groups re0 and re1.

    Note: Accounting should not be configured at the [edit system] hierarchy level; on a TX Matrix router, control is done under the switch-card chassis only.

    To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level.

    To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Example: Configuring Authentication Order.

    Configuring TACACS+ To Use the Management Instance

    By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.

    [edit system]
    tacplus-server server-address {
    routing-instance routing-instance;
    }

    When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address and the tacplus server server-ip statements (see tacplus), provided the management-instance statement is also configured, TACACS+ packets are routed through the management instance mgmt_junos.

    Note: The routing-instance mgmt_junos option must be configured in both the tacplus-server and the tacplus server statements. If not, even if the management-instance statement is set, TACACS+ packets will still be sent using the default routing instance only.

    For more details on this management instance, see management-instance.

    Specifying a Source Address for the Junos OS to Access External TACACS+ Servers

    You can specify which source address the Junos OS uses when accessing your network to contact an external TACACS+ server for authentication. You can also specify which source address the Junos OS uses when contacting a TACACS+ server for sending accounting information.

    To specify a source address for a TACACS+ server for authentication, include the source-address statement at the [edit system tacplus-server server-address] hierarchy level:

    [edit system tacplus-server server-address]
    source-address source-address;

    source-address is a valid IP address configured on one of the router or switch interfaces.

    To specify a source address for a TACACS+ server for system accounting, include the source-address statement at the [edit system accounting destination tacplus server server-address] hierarchy level:

    [edit system accounting destination tacplus server server-address]
    source-address source-address;

    source-address is a valid IP address configured on one of the router or switch interfaces.

    Configuring the Same Authentication Service for Multiple TACACS+ Servers

    To configure the same authentication service for multiple TACACS+ servers, include statements at the [edit system tacplus-server] and [edit system tacplus-options] hierarchy levels. For information about how to configure a TACACS+ server at the [edit system tacplus-server] hierarchy level, see Configuring TACACS+ Authentication.

    To assign the same authentication service to multiple TACACS+ servers, include the service-name statement at the [edit system tacplus-options] hierarchy level:

    [edit system tacplus-options]
    service-name service-name;

    service-name is the name of the authentication service. By default, the service name is set to junos-exec.

    The following example shows how to configure the same authentication service for multiple TACACS+ servers:

    [edit system]
    tacplus-server {
    10.2.2.2 secret "$ABC123"; ## SECRET-DATA
    10.3.3.3 secret "$ABC123";## SECRET-DATA
    }
    tacplus-options {
    service-name bob;
    }

    Configuring Juniper Networks Vendor-Specific TACACS+ Attributes

    The Juniper Networks Vendor-Specific TACACS+ Attributes enable you to configure access privileges for users on a TACACS+ server. They are specified in the TACACS+ server configuration file on a per-user basis. The Junos OS retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. You do not need to configure these attributes to run the Junos OS with TACACS+.

    To specify these attributes, include a service statement of the following form in the TACACS+ server configuration file:

    service = junos-exec {
    local-user-name = <username-local-to-router>
    allow-commands = "<allow-commands-regex>"
    allow-configuration-regexps = "<allow-configuration-regex>"
    deny-commands = "<deny-commands-regex>"
    deny-configuration-regexps = "<deny-configuration-regex>"
    }

    This service statement can appear in a user or group statement.

    Release History Table

    Release
    Description
    Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.

    Modified: 2018-02-01