JunOS – Using TACACS+ With Cisco ACS

KB ID 0001040 

Problem

I’ve been configuring a client’s Juniper SRX chassis cluster, for a while now. Their ACS was deployed last week so my task was to configure it to use the TACACS+ from the Cisco ACS server.

The client’s setup required them to use their fxp0 management interfaces to perform the authentication. After it was configured and working, (due in no small part, to the ACS skills of Mr SteveH). I decided that because of the lack of decent info, I would run it up at home on the test bench.

This procedure uses a Juniper Firefly Perimeter vSRX, and a Cisco ACS virtual appliance (v5.5). I’m going to create a read only group (JUNOS-RO), and a read write group (JUNOS-RW) for different levels of authentication.

Solution

Step 1 – Configure Cisco ACS For Juniper JunOS

1. Log into ACS > Network Resources > Network Devices and AAA Clients > Create.

2. Add the SRX as a device > Submit.

3. Policy Elements > Device Administration > Shell Profiles > Create.

4. Create a new shell profile for our read only profile.

5. Custom Attributes tab > Add in an attribute called local-user-name and set its value to JUNOS-RO > Submit.

6. Repeat the process and create a new shell profile for the read/write profile.

7. This time on the custom attributes tab add local-user-name but this time set its value to JUNOS-RW > Submit.

8. Access Policies > Access Services > Create.

9. Create a new access service profile for your JunOS device(s) > Next.

10. Select Process host lookup > Select PAP/ASCII > Finish.

11. You will be prompted to create a service selection rule > Create.

12. Ensure you select TACACS and the service is set to the one that you have just created > OK.

13. Save Changes, (at this point your JunOS access service should ‘go green’).

14. Select your ‘JunOS Device Admin’ access service > Identity > Select your AD > Save Changes.

15. Ive created some AD groups for my two roles > to Add them into ACS > Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups > Add in the groups as applicable.

16. Access Policies > ‘JunOS Device Admin’ access service > Authorization > Customize > Set as shown below > OK.

17. Create.

18. Create a new element for the read only role > OK.

19. Then repeat for the read/write role > OK.

20. Save Changes.

 

Step 2 – Configure SRX for Cisco ACS Access

1. Connect to the SRX and go to configuration mode.

[box] Petes-SRX (ttyd0)

login: petelong
Password: **********
No home directory.
Logging in with home = “/”.

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:59:01 UTC

petelong@Petes-SRX> configure
Entering configuration mode

[edit]
petelong@Petes-SRX#

[/box]

2. I’m going to setup the TACACS server with the following properties;

  • IP of TACACS Server: 10.254.254.22/24
  • IP that the SRX will present to the ACS Server: 10.254.254.26/24
  • Shared secret: s3cr3tp@ssword
  • TACACS Port: 49 (TCP)

[box]

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 secret s3cr3tp@ssword

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 source-address 10.254.254.26

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 port 49

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 single-connection

Note: If you are deploying a chassis cluster and you want to use the Fxp0 interface for TACACS that does not failover, so you need to pin each node to a particular ACS server like so;

set groups node0 system tacplus-server 10.254.254.26 secret <secret-password>
set groups node0 system tacplus-server 10.254.254.26 source-address 10.254.254.10
set groups node0 system tacplus-server 10.254.254.26 port 49
set groups node0 system tacplus-server 10.254.254.26 single-connection
set groups node1 system tacplus-server 10.254.254.27 secret <secret-password>
set groups node1 system tacplus-server 10.254.254.27 source-address 10.254.254.11
set groups node1 system tacplus-server 10.254.254.27 port 49
set groups node1 system tacplus-server 10.254.254.27 single-connection

[/box]

3. In the event that TACACS fails, (or cannot be contacted), I want the SRX to ‘fail back’ to its local user database so we can still log in.

[box][edit]
petelong@Petes-SRX# set system authentication-order tacplus authentication-order password[/box]

4. Create a ‘user class’ for our read only group.

[box] [edit]
petelong@Petes-SRX# set system login class RO-CLASS permissions view

[edit]
petelong@Petes-SRX# set system login class RO-CLASS permissions view-configuration

[/box]

5. Create a ‘user class’ for our read write group.

[box][edit]
petelong@Petes-SRX# set system login class RW-CLASS permissions all[/box]

6. Now create two users, and assign each user to the appropriate class.

[box]

[edit]
petelong@Petes-SRX# set system login user JUNOS-RO uid 2100 class RO-CLASS

[edit]
petelong@Petes-SRX# set system login user JUNOS-RW uid 2101 class RW-CLASS

[/box]

7. Finally Save all your hard work.

[box]

[edit]
petelong@Petes-SRX# commit
commit complete

[edit]
petelong@Petes-SRX#

[/box]

8. And test.

Full JunOS (SRX) Config for TACACS+

[box]

set system tacplus-server 10.254.254.22 secret s3cr3tp@ssword
set system tacplus-server 10.254.254.22 source-address 10.254.254.26
set system tacplus-server 10.254.254.22 port 49
set system tacplus-server 10.254.254.22 single-connection
set system authentication-order tacplus authentication-order password
set system login class RO-CLASS permissions view
set system login class RO-CLASS permissions view-configuration
set system login class RW-CLASS permissions all
set system login user JUNOS-RO uid 2100 class RO-CLASS
set system login user JUNOS-RW uid 2101 class RW-CLASS

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Securing Network Device Access With Cisco ACS (and Active Directory)

KB ID 0000942

Problem

For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.

Solution

I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.

When you have run through the initial setup on the appliance it will set;

  • Hostname.
  • IP Address.
  • Subnet Mask.
  • Default Gateway.
  • DNS Domain Name.
  • DNS IP Address.
  • Secondary DNS (if required).
  • NTP Server IP address. (Ensure UDP port 123 is open or this will fail).
  • Secondary NTP (if required).
  • Timezone.
  • Username.
  • Password.

Then connect via a web browser (https);

  • Username: ACSAdmin
  • Password: default

1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.

2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.

3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.

Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).

4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.

5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).

6. Common Tasks tab > Default Privilege > Static > 15 > Submit.

7. Then repeat to create a profile for read-only (level 1) access.

8. Common Tasks tab > Default Privilege > Static > 1 > Submit.

9. Access Policies > Access Services > Default Device Admin > Identity >Select > AD1 (this got created when you joined the domain earlier) > OK.

10. Access Policies > Access Services > Default Device Admin > Authorisation > Customise > Add ‘Compound Condition’ > OK.

11. Create > Tick ‘Compound Condition’ > Select > ExternalGroups > Select your full-access group.

12. Add > Shell Profile > Select > Select the full-access profile > OK.

13. Repeat for the read-only group.

14. Set the shell profile to read-only access > OK.

15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.

16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.

17. Make the necessary changes on your Cisco devices, like so;

Cisco IOS TACACS+ Config

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router# 

[/box]

Cisco ASA 5500 (and Next Generation) TACACS+ Config

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

-=-=-=-=-Authentication-=-=-=-=-
ASDM Authentication

Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL 
Console Authentication

Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCAL
SSH Authentication

Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCAL
Telnet Authentication

Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL

Enable Mode Command Protection Authentication

Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL
-=-=-=-=-Authorisation-=-=-=-=-

Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa

<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>
-=-=-=-=-Accounting-=-=-=-=-

Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS

[/box]

18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).

19. The results are the same if I connect via SSH.

Enabling TACACS+ Though a Firewall

Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.

Related Articles, References, Credits, or External Links

JunOS – Using TACACS+ With Cisco ACS