tacacs configuration for netscreen

504 views
Skip to first unread message

MrShy

unread,
Aug 8, 2013, 12:08:11 AM8/8/13
to event-driv...@googlegroups.com
Hi  Mark

I am trying to add tacacs support for netscreen and I put the following code in:
group = root {
    service = netscreen {
        vsys = root
        privilege = root
    }
}
When I do that I get "'vsys' unexpected". 

Here is the entire netscreen documentation on how to configure netscreen to use tacacs. 
Any ideas what do I do wrong?


Cheers
Elad

[ScreenOS] How to configure TACACS to work with the Juniper firewall
 
 
 [KB10191] Show KB Properties
 
  
 
SUMMARY:
This article provides information on how to configure both the Juniper firewall and the TACACS server to enable user administration of the Juniper firewall device.
PROBLEM OR GOAL:
How to configure both the Juniper firewall and the TACACS server to enable user administration of the Juniper firewall device.
CAUSE:
SOLUTION:
The usage of TACACS+ as an external authentication server for administration purposes is supported from ScreenOS 6.0.0 or later.

Note: TACACS+ is not supported for use as an authentication server for xauth or policy authentication.
On the firewall device, the TACACS server object has to be configured. In this example, the TACACS server is termed asexternal. The CLI commands required for this are as follows:
set auth-server "external" id 1
set auth-server "external" server-name "192.168.1.33"
set auth-server "external" account-type admin
set auth-server "external" type tacacs
set auth-server "external" tacacs secret "QNM5OpXHNyCNyKsww1C+vDPFEpnHEFS+bw=="
set auth-server "external" tacacs port 49
Note: The TACACS secret is netscreen; but in the config file, it is hashed for security purposes.
The external server also has to be configured as an admin auth server:
set admin auth server "external"
set admin auth remote root
set admin privilege get-external
On the ACS server, the attributes have to be configured to match the required admin user privileges. Launch the web interface via the ACSAdmin application. The procedure is as follows:
    1. Click Interface Configuration and select TACACS+ (Cisco IOS).

    1. Add a new service known as netscreen and leave the protocol field blank.

    1. Select both the user and group check boxes.

  1. Click Submit.

When the netscreen service is defined, the attributes per user can be defined. On the user configuration, scroll down to the bottom and select the netscreen (this is case sensitive) Custom attributes check boxes. Specify the attributes in thecustom attributes field.
The custom attributes that can be specified are as follows:
 RootRoot RWRoot ROVSYS RWVSYS RO
vsys=rootrootrootvsys-namevsys-name
privilege=rootread-writeread-onlyvsys-read-writevsys-read-only
For example, assume that attributes have to be configured for read-write users in the root VSYS. The attributes that can specified are:
vsys=root
privilege=read-write
Note: If the Cisco ACS server is not used as the TACACS server, the config file should be formatted, as shown in the following example (using vsys = root and privilege = root):
group = root {
    service = netscreen {
        vsys = root
        privilege = root
    }
}

user = joe {        
    login = cleartext joe
        service = netscreen {
            vsys = root
            privilege = root
       }
}


The Following verification command can be used to check user authentication on the firewall:
nsisg1000-> get admin auth 
Id : 1 Auth Server : external 
Type : TACACS Server Name/IP: 192.168.1.33 
Backup1: Backup2 : 
Idle Timeout: 10 Account Type : admin 
Forced Timeout: 0 (Disabled)
Fail-over revert interval: Disabled
TACACS shared secret: QNM5OpXHNyCNyKsww1C+vDPFEpnHEFS+bw==
TACACS server port: 49
TACACS retry timeout: 0
nsisg1000->
After a user is logged in via TACACS: 
nsisg1000-> get admin user login 
No. Name Vsys Date Time Source IP Addr Auth Type
--- ---------- ---------- ---------- -------- ------- --------------- --------- 
1 test Root 2001-07-12 09:22:27 telnet 192.168.1.33 tacacs >>>>>>>>>
2 netscreen Root 2001-07-12 09:19:28 console 0.0.0.0 local

The following debug commands can be used for troubleshooting:

    • debug admin all

  • debug auth all


Marc Huber

unread,
Aug 8, 2013, 10:25:32 AM8/8/13
to event-driv...@googlegroups.com
Hi,

On 08.08.13 06:08, MrShy wrote:
> I am trying to add tacacs support for netscreen and I put the
> following code in:
> group = root {
> service = netscreen {
> vsys = root
> privilege = root
> }
> }
> When I do that I get "'vsys' unexpected".
this version uses slightly different syntax. Try "set sys = root".

Cheers,

Marc

MrShy

unread,
Aug 15, 2013, 8:31:47 PM8/15/13
to event-driv...@googlegroups.com, marc.j...@googlemail.com
Hi Marc

That worked. 

Thanks
Elad
Reply all
Reply to author
Forward
0 new messages