 |
Note: Early versions of the TACACS+ server do not support the single-connection option. If you specify this option and the server does not support it, the JUNOS software will be unable to communicate with that TACACS+ server. |
To use TACACS+ authentication on the router, configure information about one or more TACACS+ servers on the network by including the tacplus-server statement at the [edit system] hierarchy level:
- [edit system]
-
tacplus-server server-address {
-
port port-number;
-
secret password;
-
single-connection;
-
timeout seconds;
- }
server-address is the address of the TACACS+ server.
port-number is the TACACS+ server port number.
You must specify a secret (password) that the local router passes to the TACACS+ client by including the secret statement. If the password included spaces, enclose the password in quotation marks. The secret used by the local router must match that used by the server.
Optionally, you can specify the length of time that the local router waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.
Optionally, you can have the software maintain one open Transmission Control Protocol (TCP) connection to the server for multiple requests, rather than opening a connection for each connection attempt by including the single-connection statement.
|
Note: Early versions of the TACACS+ server do not support the single-connection option. If you specify this option and the server does not support it, the JUNOS software will be unable to communicate with that TACACS+ server. |
To configure multiple TACACS+ servers, include multiple tacplus-server statements.
On a TX Matrix platform, TACACS+ accounting should be configured only under the groups re0 and re1.
|
Note: Accounting should not be configured at the [edit system] hierarchy level; on a TX Matrix platform, control is done under the switch-card chassis only. |
To configure a set of users that share a single account for authorization purposes, you create a template user. To do this, include the user statement at the [edit system login] hierarchy level, as described in Configuring Template Accounts for RADIUS and TACACS+ Authentication.
The TACACS attributes listed in Table 15 are specific to Juniper Networks. They are specified in the TACACS+ server configuration file on a per-user basis. The JUNOS software retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. You do not need to configure these attributes to run the JUNOS software with TACACS+.
To specify these attributes, include a service statement of the following form in the TACACS+ server configuration file:
- service = junos-exec {
- local-user-name = <username-local-to-router>
- allow-commands = "<allow-commands-regex>"
- allow-configuration = "<allow-configuration-regex>"
- deny-commands = "<deny-commands-regex>"
- deny-configuration = "<deny-configuration-regex>"
- }
This service statement can appear in a user or group statement.
Table 15: Juniper Networks Vendor-Specific TACACS+ Attributes
|
Name |
Description |
Length |
String |
|---|---|---|---|
|
local-user-name |
Indicates the name of the user template used by this user when logging in to a device. |
≥3 |
One or more octets containing printable ASCII characters. |
|
allow-commands |
Contains an extended regular expression that allows the user to run operational mode commands in addition to those commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12. |
|
allow-configuration |
Contains an extended regular expression that allows the user to run configuration mode commands in addition to those commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13. |
|
deny-commands |
Contains an extended regular expression that denies the user permission to run operational mode commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 12. |
|
deny-configuration |
Contains an extended regular expression that denies the user permission to run configuration mode commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Table 13. |
|
user-permissions |
Contains information the server uses to specify user permissions. Note: When the user-permissions attribute is configured to grant the JUNOS maintenance or all permissions on a TACACS+ server, the UNIX wheel group membership is not automatically added to a user’s list of group memberships . Some operations such as running the su root command from a local shell require wheel group membership permissions. However, when a user is configured locally with permissions maintenance or all, the user is automatically granted membership to the UNIX wheel group. Therefore, we recommend that you create a template user account with the required permissions and associate individual user accounts with the template user account. For information about configuring user template accounts, see Configuring Template Accounts for RADIUS and TACACS+ Authentication. |
≥3 |
One or more octets containing printable ASCII characters. See Table 11. |
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |