Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TACACS+ Authentication

 

The Junos OS supports TACACS+ for central authentication of users on multiple routers or switches or security devices. To use TACACS+ authentication on the device, you must configure information about one or more TACACS+ servers on the network. You can also configure TACACS+ accounting on the device to collect statistical data about the users logging in to or out from a LAN and sending the data to a TACACS+ accounting server. For more information, read this topic.

Configuring TACACS+ Authentication

TACACS+ authentication is a method of authenticating users who attempt to access the router or switch.

Note

Starting with Release 13.3, Junos OS supports IPv6 along with the existing IPv4 support for user authentication using TACACS+ servers.

Tasks to configure TACACS+ configuration are:

Configuring TACACS+ Server Details

To use TACACS+ authentication on the router or switch, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement at the [edit system] hierarchy level:

server-address is the address of the TACACS+ server.

port-number is the TACACS+ server port number.

routing-instance routing-instance is the name of the routing instance used to send and receive TACACS+ packets. By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing TACACS+ packets through a management interface in a non-default VRF instance named mgmt_junos. For more information on this VRF management instance, see Configuring TACACS+ to Use the Management Instance. Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing instance you configure in authentication.

You must specify a secret (password) that the local router or switch passes to the TACACS+ client by including the secret statement. If the password included spaces, enclose the password in quotation marks. The secret used by the local router or switch must match that used by the server.

Optionally, you can specify the length of time that the local router or switch waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.

Optionally, you can have the software maintain one open Transmission Control Protocol (TCP) connection to the server for multiple requests, rather than opening a connection for each connection attempt by including the single-connection statement.

Note

Early versions of the TACACS+ server do not support the single-connection option. If you specify this option and the server does not support it, the Junos OS will be unable to communicate with that TACACS+ server.

To configure multiple TACACS+ servers, include multiple tacplus-server statements.

On a TX Matrix router, TACACS+ accounting should be configured only under the groups re0 and re1.

Note

Accounting should not be configured at the [edit system] hierarchy level; on a TX Matrix router, control is done under the switch-card chassis only.

To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Example: Configuring Authentication Order.

Configuring TACACS+ to Use the Management Instance

By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.

When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address and the tacplus server server-ip statements (see tacplus), provided the management-instance statement is also configured, TACACS+ packets are routed through the management instance mgmt_junos.

For more details on this management instance, see management-instance.

Specifying a Source Address for the Junos OS to Access External TACACS+ Servers

You can specify which source address the Junos OS uses when accessing your network to contact an external TACACS+ server for authentication. You can also specify which source address the Junos OS uses when contacting a TACACS+ server for sending accounting information.

To specify a source address for a TACACS+ server for authentication, include the source-address statement at the [edit system tacplus-server server-address] hierarchy level:

source-address is a valid IP address configured on one of the router or switch interfaces.

To specify a source address for a TACACS+ server for system accounting, include the source-address statement at the [edit system accounting destination tacplus server server-address] hierarchy level:

source-address is a valid IP address configured on one of the router or switch interfaces.

Configuring the Same Authentication Service for Multiple TACACS+ Servers

To configure the same authentication service for multiple TACACS+ servers, include statements at the [edit system tacplus-server] and [edit system tacplus-options] hierarchy levels. For information about how to configure a TACACS+ server at the [edit system tacplus-server] hierarchy level, see Configuring TACACS+ Authentication.

To assign the same authentication service to multiple TACACS+ servers, include the service-name statement at the [edit system tacplus-options] hierarchy level:

service-name is the name of the authentication service. By default, the service name is set to junos-exec.

The following example shows how to configure the same authentication service for multiple TACACS+ servers:

Configuring Juniper Networks Vendor-Specific TACACS+ Attributes

The Juniper Networks Vendor-Specific TACACS+ Attributes enable you to configure access privileges for users on a TACACS+ server. They are specified in the TACACS+ server configuration file on a per-user basis. The Junos OS retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. You do not need to configure these attributes to run the Junos OS with TACACS+.

To specify these attributes, include a service statement of the following form in the TACACS+ server configuration file:

This service statement can appear in a user or group statement.

Example: Configuring a TACACS+ Server for System Authentication

This example shows how to configure a TACACS+ server for system authentication.

Requirements

Before you begin:

  • Perform the initial device configuration. See the Getting Started Guide for your device.

  • Configure at least one TACACS+ server.

Overview

In this example, you set the IP address to 172.16.98.24 and the shared secret password of the TACACS+ server to Tacacssecret1. The secret password is stored as an encrypted value in the configuration database. You then set the loopback source address as 10.0.0.1

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

GUI Step-by-Step Procedure

To configure a TACACS+ server for system authentication:

  1. In the J-Web user interface, select Configure>System Properties>User Management.
  2. Click Edit. The Edit User Management dialog box appears.
  3. Select the Authentication Method and Order tab.
  4. In the TACACS section, click Add. The Add TACACS Server dialog box appears.
  5. In the IP Address box, type the server’s 32–bit IP address.
  6. In the Password and Confirm Password boxes, type the secret password for the server and verify your entry.
  7. In the Server Port box, type the appropriate port.
  8. In the Source Address box, type the locally configured interface address, which is used as the source address for TACACS+ packets.Note

    The Source Address box can accept either a hostname or an IP address.

  9. In the Retry Attempts box, specify the number of times that the server should try to verify the user’s credentials.
  10. In the Time Out box, specify the amount of time (in seconds) the device should wait for a response from the server.
  11. Click OK to check your configuration and save it as a candidate configuration.
  12. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a TACACS+ server for system authentication:

  1. Add a new TACACS+ server and set its IP address.
  2. Specify the shared secret (password) of the TACACS+ server.
  3. Specify the device’s loopback address as the source address.

Results

From configuration mode, confirm your configuration by entering the show system tacplus-server command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Note

To completely set up TACACS+ authentication, you must create user template accounts and specify a system authentication order. Do one of the following tasks:

Verification

Confirm that the configuration is working properly.

Verifying the TACACS+ Server System Authentication Configuration

Purpose

Verify that the TACACS+ server has been configured for system authentication.

Action

From configuration mode, enter the show system tacplus-server command.

Configuring Periodic Refresh of the TACACS+ Authorization Profile

When you configure a Junos device to use a TACACS+ server for authentication, the device prompts users for login information, which is verified by the TACACS+ server. After the user is successfully authenticated, the JUNOS device sends an authorization request to the TACACS+ server to obtain the authorization profile for the user. Authorization profiles specify the access permissions for authenticated users or devices.

The TACACS+ server sends the authorization profile as part of an authorization response message. The remote user configured on the TACACS+ server is mapped to a local user configured on the JUNOS device. The JUNOS device combines the remote authorization profile with the locally-configured authorization profile for the user, which is configured at the [edit system login class] hierarchy level.

The exchange of authorization request and response messages occurs only once, after successful authentication, by default. You can configure the JUNOS device to periodically fetch the remote authorization profile from the TACACS+ server and refresh the authorization profile stored locally. This ensures that any change in the authorization parameters are reflected on the local device without the user having to restart the authentication process.

To enable periodic refresh of the authorization profile, you must set the time interval at which the JUNOS device checks the authorization profile configured remotely on the TACACS+ server. If there is a change in the remote authorization profile, the device fetches the authorization profile from the TACACS+ server and the authorization profile configured under the login class hierarchy. The device refreshes the authorization profile stored locally by combining the remote and locally-configured authorization profiles.

The time interval can be configured directly on the TACACS+ server or locally on the JUNOS device using the CLI. The time interval is configured in minutes, in the range of 15 to 1440 minutes.

  • To configure periodic refresh of the authorization profile on the local device using the CLI, include the authorization-time-interval statement at the [edit system tacplus-options] hierarchy level:
  • To configure the time interval for periodic refresh on the TACACS+ server, add the time interval as a parameter in the authorization profile using the following syntax:

Use the following guidelines to determine which time interval configuration takes precedence:

  • If there is no refresh time interval configured on the TACACS server for periodic refresh, the JUNOS device does not receive the time interval value in the authorization response. In this case, the value configured locally on the JUNOS device will take effect.

  • If the refresh time interval is configured on the TACACS server and there is no refresh time interval configured locally on the JUNOS device, the value configured on the TACACS server will take effect.

  • If refresh time interval is configured on the TACACS server and also on the JUNOS device locally, the value configured on the TACACS server will take precedence.

  • If there is no refresh time interval configured on the TACACS server and there is no refresh time interval configured on the JUNOS device, there will be no periodic refresh.

  • If the refresh time interval configured on the TACACS server is out of range or invalid, the refresh time interval value configured locally will take effect.

  • If the refresh time interval configured on the TACACS server is out of range or invalid and there is no refresh time interval configured locally, there will be no periodic refresh.

After the periodic refresh time interval is set, if the user changes the refresh interval before the authorization request is sent from the JUNOS device, the updated refresh interval takes effect after the next immediate periodic refresh.

Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands

Use regular expressions to specify which operational or configuration mode commands are allowed or denied when you use a RADIUS or TACACS+ server for user authentication. You can specify the regular expressions using the appropriate Juniper Networks vendor-specific RADIUS or TACACS+ attributes in your authentication server configuration.

The following attributes are supported for configuring authorizations on RADIUS and TACACS+ servers:

  • user-permissions

  • allow-configuration

  • deny-configuration

  • allow-commands

  • deny-commands

  • allow-configuration-regexp

  • deny-configuration-regexp

  • (TACACS+ only) allow-commands-regexp

  • (TACACS+ only) deny-commands-regexp

You can specify allow-configuration, deny-configuration, allow-commands, or deny-commands in a single extended regular expression, enclosing multiple commands in parentheses and separating them using the pipe symbol. For example, you can specify multiple allow-commands parameters using: allow-commands= (cmd1 | cmd2 | cmdn). You can specify user-permissions as a list of comma-separated values, and not as a regular expression.

To configure authorizations using the allow/deny-configuration-regexps or allow/deny-commands-regexps attributes, you configure a set of strings in which each string is a regular expression, enclosed in double quotes and separated with a space operator. For example, you can specify multiple parameters for allow-commands-regexp using the following syntax: allow-commands-regexps = (“regexp1” “regexp2”...).

On a RADIUS or TACACS+ server, you can also use a simplified version for regular expressions where you specify each individual expression on a separate line. The simplified version is valid for allow-commands, deny-commands, allow-configuration, deny-configuration, and permissions vendor-specific attributes.

For a RADIUS server, specify the individual regular expressions using the following syntax:

For TACACS+ server, specify the individual regular expressions using the following syntax:

Note
  • Numeric values 1 to n in the syntax (for TACACS+ server) must be unique but need not be sequential. For example, the following syntax is valid:

  • The limit on the number of lines of individual regular expressions is imposed by the TACACS+ or RADIUS server.

  • When you issue the show cli authorization command, the command output displays the regular expression in a single line, even if you specify each individual expression on a separate line.

For more information about Juniper Networks vendor-specific RADIUS and TACACS+ attributes, see Juniper Networks Vendor-Specific RADIUS Attributes and Juniper Networks Vendor-Specific TACACS+ Attributes.

Note

When RADIUS or TACACS+ authentication is configured for a router, regular expressions configured on the RADIUS or TACACS+ server merge with any regular expressions configured on the local router at the [edit system login class] hierarchy level using the allow-commands, deny-commands, allow-configuration, deny-configuration, or permissions statements. If the final expression has a syntax error, the overall result is an invalid regular expression.

Juniper Networks Vendor-Specific TACACS+ Attributes

Junos OS supports the configuration of Juniper Networks TACACS+ vendor-specific attributes (VSAs). These VSAs are encapsulated in a TACACS+ vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 lists the Juniper Networks VSAs you can configure.

Table 1: Juniper Networks Vendor-Specific TACACS+ Attributes

Name

Description

Length

String

local-user-name

Indicates the name of the user template used by this user when logging in to a device.

≥3

One or more octets containing printable ASCII characters.

allow-commands

Contains an extended regular expression that enables the user to run operational mode commands in addition to those commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

allow-configuration

Contains an extended regular expression that enables the user to run configuration mode commands in addition to those commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

deny-commands

Contains an extended regular expression that denies the user permission to run operational mode commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

deny-configuration

Contains an extended regular expression that denies the user permission to run configuration mode commands authorized by the user’s login class permission bits.

≥3

One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies.

user-permissions

Contains information the server uses to specify user permissions.

Note: When the user-permissions attribute is configured to grant the Junos OS maintenance or all permissions on an IPv4 or IPv6 TACACS+ server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships. Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with the permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account.

≥3

One or more octets containing printable ASCII characters. See Understanding Junos OS Access Privilege Levels.

authentication-type

Indicates the authentication method (local database, or TACACS+ server) used to authenticate a user. If the user is authenticated using a local database, the attribute value shows ’local’. If the user is authenticated using TACACS+ server, the attribute value shows ’remote’.

≥5

One or more octets containing printable ASCII characters.

session-port

Indicates the source port number of the established session.

size of integer

Integer

Configuring TACACS+ System Accounting

You can use TACACS+ to track and log software logins, configuration changes, and interactive commands. To audit these events, include the following statements at the [edit system accounting] hierarchy level:

Tasks for configuring TACACS+ system accounting are:

  1. Specifying TACACS+ Auditing and Accounting Events

  2. Configuring TACACS+ Server Accounting

  3. Configuring TACACS+ To Use the Management Instance

  4. Configuring TACACS+ Accounting on a TX Matrix Router

Specifying TACACS+ Auditing and Accounting Events

To specify the events you want to audit when using a TACACS+ server for authentication, include the events statement at the [edit system accounting] hierarchy level:

events is one or more of the following:

  • login—Audit logins

  • change-log—Audit configuration changes

  • interactive-commands—Audit interactive commands (any command-line input)

Configuring TACACS+ Server Accounting

To configure TACACS+ server accounting, include the server statement at the [edit system accounting destination tacplus] hierarchy level:

server-address specifies the address of the TACACS+ server. To configure multiple TACACS+ servers, include multiple server statements.

Note

If no TACACS+ servers are configured at the [edit system accounting destination tacplus] statement hierarchy level, the Junos OS uses the TACACS+ servers configured at the [edit system tacplus-server] hierarchy level.

We recommend that you add the following configuration at the [edit system accounting destination tacplus] statement hierarchy level to identify a destination and help avoid generating an error condition:

port-number specifies the TACACS+ server port number.

routing-instance routing-instance is the name of the routing instance used to send and receive TACACS+ packets. By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing TACACS+ packets through a management interface in a non-default VRF instance named mgmt_junos. For more information on this VRF management instance, see Configuring TACACS+ To Use the Management Instance. Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing instance you configure in accounting.

You must specify a secret (password) that the local router or switch passes to the TACACS+ client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ ”). The password used by the local router or switch must match that used by the server.

Optionally, you can specify the length of time that the local router or switch waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.

Optionally, you can maintain one open TCP connection to the server for multiple requests, rather than opening a connection for each connection attempt, by including the single-connection statement.

To ensure that start and stop requests for accounting of login events are correctly logged in the Accounting file instead of the Administration log file on a TACACS+ server, include either the no-cmd-attribute-value statement or the exclude-cmd-attribute at the [edit system tacplus-options] hierarchy level.

If you use the no-cmd-attribute-value statement, the value of the cmd attribute is set to a null string in the start and stop requests. If you use the exclude-cmd-attribute statement, the cmd attribute is totally excluded from the start and stop requests. Both statements support the correct logging of accounting requests in the Accounting file, instead of the Administration file.

Configuring TACACS+ To Use the Management Instance

By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.

When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address and the tacplus server server-ip statements, provided the management-instance statement is also configured, TACACS+ packets are routed through the management instance mgmt_junos.

Note

The routing-instance mgmt_junos option must be configured in both the tacplus-server and the tacplus server statements. If not, even if the management-instance statement is set, TACACS+ packets will still be sent using the default routing instance only.

For more details on this management instance, see management-instance.

Configuring TACACS+ Accounting on a TX Matrix Router

On a TX Matrix router, TACACS+ accounting should be configured only under the groups re0 and re1.

Note

Accounting should not be configured at the [edit system] hierarchy; on a TX Matrix router, control is done under the switch-card chassis only.

Release History Table
Release
Description
Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing instance you configure in authentication.
Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing instance you configure in accounting.
Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing TACACS+ packets through a management interface in a non-default VRF instance named mgmt_junos.
Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.
Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing TACACS+ packets through a management interface in a non-default VRF instance named mgmt_junos.
Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.