TACACS+ Authentication
The Junos OS supports TACACS+ for central authentication of users on multiple routers or switches or security devices. To use TACACS+ authentication on the device, you must configure information about one or more TACACS+ servers on the network. You can also configure TACACS+ accounting on the device to collect statistical data about the users logging in to or out from a LAN and sending the data to a TACACS+ accounting server. For more information, read this topic.
Configuring TACACS+ Authentication
TACACS+ authentication is a method of authenticating users who attempt to access the router or switch.
Starting with Release 13.3, Junos OS supports IPv6 along with the existing IPv4 support for user authentication using TACACS+ servers.
Tasks to configure TACACS+ configuration are:
- Configuring TACACS+ Server Details
- Configuring TACACS+ to Use the Management Instance
- Specifying a Source Address for the Junos OS to Access External TACACS+ Servers
- Configuring the Same Authentication Service for Multiple TACACS+ Servers
- Configuring Juniper Networks Vendor-Specific TACACS+ Attributes
Configuring TACACS+ Server Details
To use TACACS+ authentication on the router or switch, configure
information about one or more TACACS+ servers on the network by including
the tacplus-server statement at the [edit system] hierarchy level:
[edit system] tacplus-server server-address { port port-number; routing-instance routing-instance; secret password; single-connection; source-address source-address; timeout seconds; }
server-address is
the address of the TACACS+ server.
port-number is
the TACACS+ server port number.
routing-instance routing-instance is the name of the routing instance used to send and receive
TACACS+ packets. By default, Junos OS routes authentication, authorization,
and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+
behavior is enhanced to support routing TACACS+ packets through a
management interface in a non-default VRF instance named mgmt_junos. For more information on this VRF management instance, see Configuring TACACS+ to Use the Management Instance. Starting in Junos OS Release 18.2R1, you can route
TACACS+ traffic through any routing instance you configure in authentication.
You must specify a secret (password) that the local
router or switch passes to the TACACS+ client by including the secret statement. If the password included spaces, enclose
the password in quotation marks. The secret used by the local router
or switch must match that used by the server.
Optionally, you can specify the length of time
that the local router or switch waits to receive a response from a
TACACS+ server by including the timeout statement. By default,
the router or switch waits 3 seconds. You can configure this
to be a value in the range from 1 through 90 seconds.
Optionally, you can have the software maintain
one open Transmission Control Protocol (TCP) connection to the server
for multiple requests, rather than opening a connection for each connection
attempt by including the single-connection statement.
Early versions of the TACACS+ server do not
support the single-connection option. If you specify this
option and the server does not support it, the Junos OS will be unable
to communicate with that TACACS+ server.
To configure multiple TACACS+ servers, include
multiple tacplus-server statements.
On a TX Matrix router, TACACS+ accounting should be configured
only under the groups re0 and re1.
Accounting should not be configured at the [edit
system] hierarchy level; on a TX Matrix router, control is done
under the switch-card chassis only.
To configure a set of users that share a single
account for authorization purposes, you create a template user. To
do this, include the user statement at the [edit system
login] hierarchy level, as described in Example: Configure Authentication Order.
Configuring TACACS+ to Use the Management Instance
By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.
[edit system]
tacplus-server server-address {
routing-instance routing-instance;
}
When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address and the tacplus server server-ip statements (see tacplus), provided the management-instance statement is also
configured, TACACS+ packets are routed through the management instance
mgmt_junos.
The routing-instance mgmt_junos option must
be configured in both the tacplus-server and the tacplus
server statements. If not, even when the management-instance statement is configured, TACACS+ packets use the default routing
instance only.
Before Junos OS Release 17.4R1, there is no option
for configuring a routing instance for TACACS+. Therefore, even if management-instance is configured, there is no TACACS+ routing
instance functionality, until Junos OS Release 17.4R1.
For more details on the management instance mgmt_junos, see management-instance.
Specifying a Source Address for the Junos OS to Access External TACACS+ Servers
You can specify which source address the Junos OS uses when accessing your network to contact an external TACACS+ server for authentication. You can also specify which source address the Junos OS uses when contacting a TACACS+ server for sending accounting information.
To specify a source address for a TACACS+ server
for authentication, include the source-address statement
at the [edit system tacplus-server server-address] hierarchy level:
[edit system tacplus-server server-address] source-address source-address;
source-address is
a valid IP address configured on one of the router or switch interfaces.
To specify a source address for a TACACS+ server
for system accounting, include the source-address statement
at the [edit system accounting destination tacplus server server-address] hierarchy level:
[edit system accounting destination tacplus server server-address] source-address source-address;
source-address is
a valid IP address configured on one of the router or switch interfaces.
Configuring the Same Authentication Service for Multiple TACACS+ Servers
To configure the same authentication service for multiple TACACS+
servers, include statements at the [edit system tacplus-server] and [edit system tacplus-options] hierarchy levels. For
information about how to configure a TACACS+ server at the [edit
system tacplus-server] hierarchy level, see Configuring TACACS+ Authentication.
To assign the same authentication service to multiple TACACS+
servers, include the service-name statement at the [edit system tacplus-options] hierarchy level:
[edit system tacplus-options] service-name service-name;
service-name is the name of
the authentication service. By default, the service name is set to junos-exec.
The following example shows how to configure the same authentication service for multiple TACACS+ servers:
[edit system]
tacplus-server {
10.2.2.2 secret "$ABC123"; ## SECRET-DATA
10.3.3.3 secret "$ABC123";## SECRET-DATA
}
tacplus-options {
service-name bob;
}
Configuring Juniper Networks Vendor-Specific TACACS+ Attributes
The Juniper Networks Vendor-Specific TACACS+ Attributes enable you to configure access privileges for users on a TACACS+ server. They are specified in the TACACS+ server configuration file on a per-user basis. The Junos OS retrieves these attributes through an authorization request of the TACACS+ server after authenticating a user. You do not need to configure these attributes to run the Junos OS with TACACS+.
To specify these attributes, include a service statement of the following form in the TACACS+ server configuration
file:
service = junos-exec {
local-user-name = <username-local-to-router>
allow-commands = "<allow-commands-regex>"
allow-configuration-regexps = "<allow-configuration-regex>"
deny-commands = "<deny-commands-regex>"
deny-configuration-regexps = "<deny-configuration-regex>"
}
This service statement can appear in
a user or group statement.
Example: Configuring a TACACS+ Server for System Authentication
This example shows how to configure a TACACS+ server for system authentication.
Requirements
Before you begin:
Perform the initial device configuration. See the Getting Started Guide for your device.
Configure at least one TACACS+ server.
Overview
In this example, you set the IP address to 172.16.98.24 and the shared secret password of the TACACS+ server to Tacacssecret1. The secret password is stored as an encrypted value in the configuration database. You then set the loopback source address as 10.0.0.1
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system tacplus-server address 172.16.98.24 set system tacplus-server 172.16.98.24 secret Tacacssecret1 set system tacplus-server 172.16.98.24 source-address 10.0.0.1
GUI Quick Configuration
Step-by-Step Procedure
To configure a TACACS+ server for system authentication:
In the J-Web user interface, select
Configure>System Properties>User Management.Click
Edit. The Edit User Management dialog box appears.Select the
Authentication Method and Ordertab.In the TACACS section, click
Add. The Add TACACS Server dialog box appears.In the IP Address box, type the server’s 32–bit IP address.
In the Password and Confirm Password boxes, type the secret password for the server and verify your entry.
In the Server Port box, type the appropriate port.
In the Source Address box, type the locally configured interface address, which is used as the source address for TACACS+ packets.
Note:The Source Address box can accept either a hostname or an IP address.
In the Retry Attempts box, specify the number of times that the server should try to verify the user’s credentials.
In the Time Out box, specify the amount of time (in seconds) the device should wait for a response from the server.
Click
OKto check your configuration and save it as a candidate configuration.If you are done configuring the device, click
Commit Options>Commit.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a TACACS+ server for system authentication:
Add a new TACACS+ server and set its IP address.
[edit system] user@host# set tacplus-server address 172.16.98.24
Specify the shared secret (password) of the TACACS+ server.
[edit system] user@host# set tacplus-server 172.16.98.24 secret Tacacssecret1
Specify the device’s loopback address as the source address.
[edit system] user@host# set tacplus-server 172.16.98.24 source-address 10.0.0.1
Results
From configuration mode, confirm your configuration
by entering the show system tacplus-server command. If
the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show system tacplus-server
tacplus-server 172.16.98.24 {
secret Tacacssecret1;
source-address 10.0.0.1;
}
If you are done configuring the device, enter commit from configuration mode.
To completely set up TACACS+ authentication, you must create user template accounts and specify a system authentication order. Do one of the following tasks:
Configure a system authentication order. See Example: Configure Authentication Order.
Configure a user. See Example: Configuring New Users.
Configure local user template accounts. See Example: Create Template Accounts.
Verification
Configuring Periodic Refresh of the TACACS+ Authorization Profile
When you configure a Junos OS device to use a TACACS+ server for authentication, the device prompts users for login information, which is verified by the TACACS+ server. After the user is successfully authenticated, the Junos OS device sends an authorization request to the TACACS+ server to obtain the authorization profile for the user. Authorization profiles specify the access permissions for authenticated users or devices.
The TACACS+ server sends the authorization profile as part of
an authorization response message. The remote user configured on the
TACACS+ server is mapped to a local user configured on the Junos OS
device. The Junos OS device combines the remote authorization profile
with the locally-configured authorization profile for the user, which
is configured at the [edit system login class] hierarchy
level.
The exchange of authorization request and response messages occurs only once, after successful authentication, by default. You can configure the Junos OS device to periodically fetch the remote authorization profile from the TACACS+ server and refresh the authorization profile stored locally. This ensures that any change in the authorization parameters are reflected on the local device without the user having to restart the authentication process.
To enable periodic refresh of the authorization profile, you must set the time interval at which the Junos OS device checks the authorization profile configured remotely on the TACACS+ server. If there is a change in the remote authorization profile, the device fetches the authorization profile from the TACACS+ server and the authorization profile configured under the login class hierarchy. The device refreshes the authorization profile stored locally by combining the remote and locally-configured authorization profiles.
The time interval can be configured directly on the TACACS+ server or locally on the Junos OS device using the CLI. The time interval is configured in minutes, in the range of 15 to 1440 minutes.
Use the following guidelines to determine which time interval configuration takes precedence:
If there is no refresh time interval configured on the TACACS+ server for periodic refresh, the Junos OS device does not receive the time interval value in the authorization response. In this case, the value configured locally on the Junos OS device will take effect.
If the refresh time interval is configured on the TACACS+ server and there is no refresh time interval configured locally on the Junos OS device, the value configured on the TACACS+ server will take effect.
If refresh time interval is configured on the TACACS+ server and also on the Junos OS device locally, the value configured on the TACACS+ server will take precedence.
If there is no refresh time interval configured on the TACACS+ server and there is no refresh time interval configured on the Junos OS device, there will be no periodic refresh.
If the refresh time interval configured on the TACACS+ server is out of range or invalid, the refresh time interval value configured locally will take effect.
If the refresh time interval configured on the TACACS+ server is out of range or invalid and there is no refresh time interval configured locally, there will be no periodic refresh.
After the periodic refresh time interval is set, if the user changes the refresh interval before the authorization request is sent from the Junos OS device, the updated refresh interval takes effect after the next immediate periodic refresh.
See Also
Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands
Use regular expressions to specify which operational or configuration mode commands are allowed or denied when you use a RADIUS or TACACS+ server for user authentication. You can specify the regular expressions using the appropriate Juniper Networks vendor-specific RADIUS or TACACS+ attributes in your authentication server configuration.
The following attributes are supported for configuring authorizations on RADIUS and TACACS+ servers:
user-permissionsallow-configurationdeny-configurationallow-commandsdeny-commandsallow-configuration-regexpdeny-configuration-regexp(TACACS+ only)
allow-commands-regexp(TACACS+ only)
deny-commands-regexp
You can specify allow-configuration, deny-configuration, allow-commands, or deny-commands in a single
extended regular expression, enclosing multiple commands in parentheses
and separating them using the pipe symbol. For example, you can specify
multiple allow-commands parameters using: allow-commands=
(cmd1 | cmd2 | cmdn). You can specify user-permissions as a list of comma-separated values, and not
as a regular expression.
To configure authorizations using the allow/deny-configuration-regexps or allow/deny-commands-regexps attributes, you configure
a set of strings in which each string is a regular expression, enclosed
in double quotes and separated with a space operator. For example,
you can specify multiple parameters for allow-commands-regexp using the following syntax: allow-commands-regexps = (“regexp1” “regexp2”...).
On a RADIUS or TACACS+ server, you can also use a simplified
version for regular expressions where you specify each individual
expression on a separate line. The simplified version is valid for allow-commands, deny-commands, allow-configuration, deny-configuration, and permissions vendor-specific
attributes.
For a RADIUS server, specify the individual regular expressions using the following syntax:
Juniper-Allow-Commands+="cmd1" Juniper-Allow-Commands+="cmd2" Juniper-Allow-Commands+="cmdn" Juniper-Deny-Commands+="cmd1" Juniper-Deny-Commands+="cmd2" Juniper-Deny-Commands+="cmdn" Juniper-Allow-Configuration+="regex1" Juniper-Allow-Configuration+="regex2" Juniper-Allow-Configuration+="regexn" Juniper-Deny-Configuration+="regex1" Juniper-Deny-Configuration+="regex2" Juniper-Deny-Configuration+="regexn" Juniper-User-Permissions+="permission-flag1" Juniper-User-Permissions+="permission-flag2" Juniper-User-Permissions+="permission-flagn"
For TACACS+ server, specify the individual regular expressions using the following syntax:
allow-commands1="cmd1" allow-commands2="cmd2" allow-commandsn="cmdn" deny-commands1="cmd1" deny-commands2="cmd2" deny-commandsn="cmdn" allow-configuration1="regex1" allow-configuration2="regex2" allow-configurationn="regexn" deny-configuration1="regex1" deny-configuration2="regex2" deny-configurationn="regexn" user-permissions1="permission-flag1" user-permissions2="permission-flag2" user-permissionsn="permission-flagn"
Numeric values 1 to n in the syntax (for TACACS+ server) must be unique but need not be sequential. For example, the following syntax is valid:
allow-commands1="cmd1" allow-commands3="cmd3" allow-commands2="cmd2" deny-commands3="cmd3" deny-commands2="cmd2" deny-commands1="cmd1"
The limit on the number of lines of individual regular expressions is imposed by the TACACS+ or RADIUS server.
When you issue the
show cli authorizationcommand, the command output displays the regular expression in a single line, even if you specify each individual expression on a separate line.
For more information about Juniper Networks vendor-specific RADIUS and TACACS+ attributes, see Juniper Networks Vendor-Specific RADIUS and LDAP Attributes and Juniper Networks Vendor-Specific TACACS+ Attributes.
When RADIUS or TACACS+ authentication is configured for
a router, regular expressions configured on the RADIUS or TACACS+
server merge with any regular expressions configured on the local
router at the [edit system login class] hierarchy level
using the allow-commands, deny-commands, allow-configuration, deny-configuration, or permissions statements. If the final expression has a syntax
error, the overall result is an invalid regular expression.
See Also
Juniper Networks Vendor-Specific TACACS+ Attributes
Junos OS supports the configuration of Juniper Networks TACACS+ vendor-specific attributes (VSAs). These VSAs are encapsulated in a TACACS+ vendor-specific attribute with the vendor ID set to the Juniper Networks ID number, 2636. Table 1 lists the Juniper Networks VSAs you can configure.
Name |
Description |
Length |
String |
|---|---|---|---|
|
Indicates the name of the user template used by this user when logging in to a device. |
≥3 |
One or more octets containing printable ASCII characters. |
|
Contains an extended regular expression that enables the user to run operational mode commands in addition to those commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies. |
|
Contains an extended regular expression that enables the user to run configuration mode commands in addition to those commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies. |
|
Contains an extended regular expression that denies the user permission to run operational mode commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies. |
|
Contains an extended regular expression that denies the user permission to run configuration mode commands authorized by the user’s login class permission bits. |
≥3 |
One or more octets containing printable ASCII characters, in the form of an extended regular expression. See Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands, Configuration Statements, and Hierarchies. |
|
Contains information the server uses to specify user permissions. Note:
When the |
≥3 |
One or more octets containing printable ASCII characters. See Understanding Junos OS Access Privilege Levels. |
|
Indicates the authentication method (local database, or TACACS+ server) used to authenticate a user. If the user is authenticated using a local database, the attribute value shows ’local’. If the user is authenticated using TACACS+ server, the attribute value shows ’remote’. |
≥5 |
One or more octets containing printable ASCII characters. |
|
Indicates the source port number of the established session. |
size of integer |
Integer |
Configuring TACACS+ System Accounting
You can use TACACS+
to track and log software logins, configuration changes, and interactive
commands. To audit these events, include the following statements
at the [edit system accounting] hierarchy level:
[edit system accounting] events [ events ]; enhanced-avs-max number; destination { tacplus { server { server-address { port port-number; routing-instance routing-instance; secret password; single-connection; timeout seconds; } } } }
Tasks for configuring TACACS+ system accounting are:
- Specifying TACACS+ Auditing and Accounting Events
- Configuring TACACS+ Server Accounting
- Configuring TACACS+ To Use the Management Instance
- Configuring TACACS+ Accounting on a TX Matrix Router
Specifying TACACS+ Auditing and Accounting Events
To specify the events you want to audit when using
a TACACS+ server for authentication, include the events statement at the [edit system accounting] hierarchy level:
[edit system accounting] events [ events ];
events is one or
more of the following:
login—Audit loginschange-log—Audit configuration changesinteractive-commands—Audit interactive commands (any command-line input)
Configuring TACACS+ Server Accounting
To configure TACACS+ server accounting, include
the server statement at the [edit system accounting
destination tacplus] hierarchy level:
[edit system accounting destination tacplus] server { server-address { port port-number; routing-instance routing-instance; secret password; single-connection; timeout seconds; } }
server-address specifies
the address of the TACACS+ server. To configure multiple TACACS+ servers,
include multiple server statements.
If no TACACS+ servers are configured at the [edit system accounting destination tacplus] statement hierarchy
level, the Junos OS uses the TACACS+ servers configured at the [edit system tacplus-server] hierarchy level.
We recommend that you add the following configuration at the [edit system accounting destination tacplus] statement hierarchy
level to identify a destination and help avoid generating an error
condition:
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus;
}
}port-number specifies
the TACACS+ server port number.
routing-instance routing-instance is the name of the routing instance used to send and receive
TACACS+ packets. By default, Junos OS routes authentication, authorization,
and accounting packets for TACACS+ through the default routing instance. Starting
in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced
to support routing TACACS+ packets through a management interface
in a non-default VRF instance named mgmt_junos. For more information on this VRF management instance, see Configuring TACACS+ To Use the Management Instance. Starting in Junos OS Release 18.2R1, you can route
TACACS+ traffic through any routing instance you configure in accounting.
You must specify a secret (password) that the local
router or switch passes to the TACACS+ client by including the secret statement. If the password contains spaces, enclose
the entire password in quotation marks (“ ”). The password
used by the local router or switch must match that used by the server.
Optionally, you can specify the length of time
that the local router or switch waits to receive a response from a
TACACS+ server by including the timeout statement. By default,
the router or switch waits 3 seconds. You can configure this
to be a value in the range from 1 through 90 seconds.
Optionally, you can maintain one open TCP connection
to the server for multiple requests, rather than opening a connection
for each connection attempt, by including the single-connection statement.
To ensure that start and stop requests for accounting of login
events are correctly logged in the Accounting file instead of the
Administration log file on a TACACS+ server, include either the no-cmd-attribute-value statement or the exclude-cmd-attribute at the [edit system tacplus-options] hierarchy level.
If you use the no-cmd-attribute-value statement,
the value of the cmd attribute is set to a null string
in the start and stop requests. If you use the exclude-cmd-attribute statement, the cmd attribute is totally excluded from
the start and stop requests. Both statements support the correct logging
of accounting requests in the Accounting file, instead of the Administration
file.
[edit system tacplus-options] (no-cmd-attribute-value | exclude-cmd-attribute);
Configuring TACACS+ To Use the Management Instance
By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.
[edit system accounting destination tacplus] server { server-address { routing-instance routing-instance; } }
When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address and the tacplus server server-ip statements, provided the management-instance statement
is also configured, TACACS+ packets are routed through the management
instance mgmt_junos.
The routing-instance mgmt_junos option must
be configured in both the tacplus-server and the tacplus
server statements. If not, even if the management-instance statement is set, TACACS+ packets will still be sent using the default
routing instance only.
For more details on this management instance, see management-instance.
Configuring TACACS+ Accounting on a TX Matrix Router
On a TX Matrix router, TACACS+ accounting should be configured
only under the groups re0 and re1.
Accounting should not be configured
at the [edit system] hierarchy; on a TX Matrix router,
control is done under the switch-card chassis only.