Even though TACACS+ originates from Cisco, it can also be used to authenticate, authorize and account remote access to Juniper JunOS devices.

It’s assumed, that you read the previous post Cisco AAA with TACACS+, which shows the basics.

GNS3 project

The GNS3 project from the previous post is extended to include a JunOS device.
GNS3 project

The JunOS router gets a basic interface configuration:

set interfaces em0 unit 0 family inet address 192.168.1.2/24
set interfaces em1 unit 0 family inet address 10.1.2.1/24
set interfaces lo0 unit 0 family inet address 172.16.1.2/32

The TACACS container keeps IP 192.168.1.100/24, but needs static routes to the loopbacks of the routers:

iface eth0 inet static
	address 192.168.1.100
	netmask 255.255.255.0
	up route add 172.16.1.1 gw 192.168.1.1
	up route add 172.16.1.2 gw 192.168.1.2

The ipterm-2 container gets the IP 10.1.2.100/24.

JunOS configuration

This is a quite complete configuration using TACACS+ for authentication, authorization and accounting. If you don’t want to use accounting, you can leave out the “set system accounting…” and “set system tacplus-options…” commands.

set system authentication-order [ tacplus password ]
set system tacplus-server 192.168.1.100 secret tac-key
set system tacplus-server 192.168.1.100 source-address 172.16.1.2
set system tacplus-options exclude-cmd-attribute
set system accounting events [ login change-log interactive-commands ]
set system accounting destination tacplus server 192.168.1.100 secret tac-key
set system accounting destination tacplus server 192.168.1.100 source-address 172.16.1.2
set system login class read-only-ping permissions view
set system login class read-only-ping allow-commands "ping|traceroute"
set system login user OP full-name operator
set system login user OP class operator
set system login user RO full-name "read-only user"
set system login user RO class read-only
set system login user RO-ping full-name "read-only + ping"
set system login user RO-ping class read-only-ping
set system login user SU full-name super-user
set system login user SU class super-user
set system login user local full-name "local user"
set system login user local class super-user
set system login user local authentication encrypted-password ## SECRET-DATA
set system login user remote full-name "default remote user"
set system login user remote class read-only
set system services telnet

JunOS uses template users to assign permissions to TACACS+ logins. If the TACACS+ server doesn’t assign a template user to a login, the special template user “remote” is used.

test@junOS-1> show cli authorization
Current user: 'RO' login: 'test' class 'read-only'
Permissions:
    view        -- Can view current values and statistics
Individual command authorization:
    Allow regular expression: (ping|traceroute)
    Deny regular expression: none
    Allow configuration regular expression: none
    Deny configuration regular expression: none

The login classes operator, read-only and super-user are predefined, while the login class read-only-ping is an example of a self defined class.

The local users (user “local” in this example) is always available for login. That differs from Cisco IOS, where the local users are usable only, when TACACS+ fails.

tac_plus configuration

The TACACS+ server configuration is almost the same as for Cisco AAA with TACACS+.

The only difference is, that JunOS devices need a template user for a login. That is done with the “service = junos-exec” configuration in user or group definitions. Furthermore commands can be allowed or denied on top of the template user command authorization.

	service = junos-exec {
		local-user-name = RO
		allow-commands = "ping|traceroute"
	}