All, especially Tom... you ROCK! Thanks all.
...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering On Fri, Mar 21, 2014 at 9:34 AM, Tom Storey <t...@snnap.net> wrote: > For everyones reference, this is the config I have been using, and > seems to work as you'd expect on a Cisco. Using this config I have run > Junipers against the same TACACS server used by Cisco devices without > any issues. > > system { > authentication-order [ tacplus password ]; > root-authentication { > encrypted-password "xxxxxxxx"; ## SECRET-DATA > } > tacplus-server { > 172.25.150.26 { > secret "xxxxxxxx"; ## SECRET-DATA > timeout 5; > source-address 172.25.150.26; > } > } > accounting { > events [ login change-log interactive-commands ]; > destination { > tacplus; > } > } > login { > class rescue { > idle-timeout 30; > permissions all; > } > user remote { > full-name "Remote user template"; > uid 2002; > class rescue; > } > user rescue { > full-name "Rescue account"; > uid 2000; > class rescue; > authentication { > encrypted-password "xxxxxxxx"; ## SECRET-DATA > } > } > } > } > > The key is in the "remote" user, which is basically a template from > which various properties get assigned to each user that logs in. It > needs to exist and needs to be called "remote", but commands executed > by users are recorded against their own username, as expected. > > The "rescue" account is what you use to log in if TACACS becomes > unavailable for some reason (e.g. network outage) but can be called > anything you want, same goes for the "rescue" class. > > On 20 March 2014 22:16, Skeeve Stevens > <skeeve+juniper...@eintellegonetworks.com> wrote: > > Hey all, > > > > We've been implementing Tacacs on our networks and have this issue where > we > > can't seem to get Tacacs working unless we declare the username and > Tacacs > > is used just for the authentication. > > > > Does anyone know how to get Tacacs working like Cisco where you just set > it > > up and once you add users to the Tacacs back-end, they can login? > > > > ...Skeeve > > > > *Skeeve Stevens - *eintellego Networks Pty Ltd > > ske...@eintellegonetworks.com ; www.eintellegonetworks.com > > > > Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve > > > > facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> > > linkedin.com/in/skeeve > > > > twitter.com/theispguy ; blog: www.theispguy.com > > > > > > The Experts Who The Experts Call > > Juniper - Cisco - Cloud - Consulting - IPv4 Brokering > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp