JUNOS gives you very flexible AAA services. I would suggest you should not use remote user template on live production Box. Configuring a single remote user template account requires that all users (once again keep in mind ALL users) without individual configuration entries share the same class and UID.
When you are using TACACS and telnet or TACACS and SSH together, you can specify a different template user other than the remote user. I would suggest you better configure an alternate template users, specify the user-name parameter (Custom Attributes 'local-user-name=<insert username here>')returned in the TACACS authentication response packet. You'll need to configure a template account on the Juniper device which matches the username you specify as the local-user-name in your TACACS+ server. This template account should be bound to the class you want to assign these users. Find below a template for JUNOS and Tacacs server. Here is JUNOS: "Read the commentes in braces" system { authentication-order [ tacplus password ]; (plz authenticate me using tacplus server first) tacplus-server { x.x.x.y { (Your Tacacs server address) secret "blahblahblah"; ## SECRET-DATA (tacacs secret key, it should be same the one you have configured on server) timeout 5; source-address x.x.y.x; (your tacacs server must be reachable using this source address, nd you should have an entry in tacacs server for this particular source) } } Here is TACACS: If you don't wana use remote user. Alternatively, you could just put the following in your TACACS+ Configuration file on the TACACS Server, and bind user with this particular server. You can use local-user-name attribute for a specific user as well. service = junos-exec { local-user-name = <username-local-to-router> allow-commands = "<allow-commands-regexp>" allow-configuration = "<allow-configuration-regexp>" deny-commands = "<deny-commands-regexp>" deny-configuration = "<deny-configuration-regexp>" } Regards, Masood Blog: http://weblogs.com.pk/jahil/ -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nalkhande Tarique Abbas Sent: Sunday, August 09, 2009 6:01 PM To: Bill Blackford; Walaa Abdel razzak Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] tacplus on EX3200 Do you have a remote user configured? Pls try to add this .. system { login { user remote { full-name "All remote users"; uid 2001; class super-user; } } } Thanks & Regards, Tarique A. Nalkhande -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 8:29 PM To: Walaa Abdel razzak Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] tacplus on EX3200 authentication-order [ tacplus password ]; -b -----Original Message----- From: Walaa Abdel razzak [mailto:wala...@bmc.com.sa] Sent: Sunday, August 09, 2009 7:51 AM To: Bill Blackford; juniper-nsp@puck.nether.net Subject: RE: [j-nsp] tacplus on EX3200 Hi Did you check the authentication order on the router? Tacacs log on the server? BR, Walaa Abdel Razzak This email and any attached files are confidential and intended solely for the use of the individual to whom they are addressed. If you received this email in error or you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying,distributing or taking any action in reliance on the contents of this information is strictly prohibited. -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Bill Blackford Sent: Sunday, August 09, 2009 5:23 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] tacplus on EX3200 I'm struggling with getting tacplus working on my EX's and was hoping someone on the list has successfully done this. tacplus-server { ###.###.###.### { port 49; secret "<my secret>"; ## SECRET-DATA timeout 5; single-connection; } } I currently have local accounts with two profiles. super-user and: class NOC { permissions [ view view-configuration ]; I would want to integrate these two profiles into tacacs as well, but for now I'd like to just get it to authenticate. Tacacs is doing passthough to AD and works fine with Cisco or extreme devices. What am I missing? Thanks -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD my /home away from home _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp __________ Information from ESET Smart Security, version of virus signature database 4223 (20090708) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 4223 (20090708) __________ The message was checked by ESET Smart Security. http://www.eset.com _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp