Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring TACACS+ Authentication

    TACACS+ authentication is a method of authenticating users who attempt to access the router or switch. Tasks to configure TACACS+ configuration are:

    Configuring TACACS+ Server Details

    To use TACACS+ authentication on the router or switch, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement at the [edit system] hierarchy level:

    [edit system]
    tacplus-server server-address {port port-number;secret password; single-connection; timeout seconds; }

    server-address is the address of the TACACS+ server.

    port-number is the TACACS+ server port number.

    You must specify a secret (password) that the local router or switch passes to the TACACS+ client by including the secret statement. If the password included spaces, enclose the password in quotation marks. The secret used by the local router or switch must match that used by the server.

    Optionally, you can specify the length of time that the local router or switch waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.

    Optionally, you can have the software maintain one open Transmission Control Protocol (TCP) connection to the server for multiple requests, rather than opening a connection for each connection attempt by including the single-connection statement.

    Note: Early versions of the TACACS+ server do not support the single-connection option. If you specify this option and the server does not support it, the Junos OS will be unable to communicate with that TACACS+ server.

    To configure multiple TACACS+ servers, include multiple tacplus-server statements.

    To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Overview of Template Accounts for RADIUS and TACACS+ Authentication.

    Specifying a Source Address for the Junos OS to Access External TACACS+ Servers

    You can specify which source address the Junos OS uses when accessing your network to contact an external TACACS+ server for authentication. You can also specify which source address the Junos OS uses when contacting a TACACS+ server for sending accounting information.

    To specify a source address for a TACACS+ server for authentication, include the source-address statement at the [edit system tacplus-server server-address] hierarchy level:

    [edit system tacplus-server server-address]source-address source-address;

    source-address is a valid IP address configured on one of the router or switch interfaces.

    To specify a source address for a TACACS+ server for system accounting, include the source-address statement at the [edit system accounting destination tacplus server server-address] hierarchy level:

    [edit system accounting destination tacplus server server-address]source-address source-address;

    source-address is a valid IP address configured on one of the router or switch interfaces.

    Configuring the Same Authentication Service for Multiple TACACS+ Servers

    To configure the same authentication service for multiple TACACS+ servers, include statements at the [edit system tacplus-server] and [edit system tacplus-options] hierarchy levels. For information about how to configure a TACACS+ server at the [edit system tacplus-server] hierarchy level, see Configuring TACACS+ Authentication.

    To assign the same authentication service to multiple TACACS+ servers, include the service-name statement at the [edit system tacplus-options] hierarchy level:

    [edit system tacplus-options] service-name service-name;

    service-name is the name of the authentication service. By default, the service name is set to junos-exec.

    The following example shows how to configure the same authentication service for multiple TACACS+ servers:

    [edit system]
    tacplus-server {10.2.2.2 secret "$ABC123"; ## SECRET-DATA10.3.3.3 secret "$ABC123";## SECRET-DATA}
    tacplus-options {service-name bob;}

    Configuring Juniper Networks Vendor-Specific TACACS+ Attributes

    The Juniper Networks Vendor-Specific TACACS+ Attributes enable you to configure access privileges for users on a TACACS+ server. They are specified in the TACACS+ server configuration file on a per-user basis. The Junos OS retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. You do not need to configure these attributes to run the Junos OS with TACACS+.

    To specify these attributes, include a service statement of the following form in the TACACS+ server configuration file:

    service = junos-exec {local-user-name = <username-local-to-router>allow-commands = "<allow-commands-regex>"allow-configuration-regexps = "<allow-configuration-regex>"deny-commands = "<deny-commands-regex>"deny-configuration-regexps = "<deny-configuration-regex>"}

    This service statement can appear in a user or group statement.

    Modified: 2017-03-14