Hello,
I have been trying to get a few Juniper EX4200 switches working with Cisco ACS through TACACS+ utilizing "allowed commands". I have followed the example doc on Cisco site here: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080af7d1d.shtml Which didn't work at all until I added the "remote" user on the EX 4200, but then it would only allow access and the user would be mapped to the "remote" username which had "read-only" access. I have tried different combinations of syntax on the Cisco ACS in terms of the "local-username" and "allowed-commands" with no success ( I also added the "set" keyword in front of the commands as some examples demonstrated). I believe I almost have it configured but I missing some simple thing. I searched the forum but all the past posts have made mention of things I have already tried. Anyone have any suggestions? Config on the EX4200 (JUNOS version 10.0S1.1): system { authentication-order [ tacplus password ]; tacplus-server { 1.2.3.4 { secret "stuff; ## SECRET-DATA timeout 5; source-address 5.5.5.5.; } } } class LIMITED { permissions all; } user LIMITED-USER { uid 2002; class LIMITED; } user remote { uid 2001; class read-only; } ACS Config (version 4.2): Setup per the link above with the following attributes in the "custom attributes" box: local-user-name = LIMITED-USER allow-commands = "monitor | help | show | ping | traceroute" Thanks, Ralph _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp