appreciate the advice and you seem to have a nice setup. I would still refer back to original post, specifically:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html Cisco advise "The values of the allow-commands, allow-configuration, deny-commands, and deny-configuration attributes can be entered in regex format. The values that these attributes are set to are in addition to the operational/configuration mode commands authorized by the user's login class permissions bits." So what their saying here is as well as the local class-permission bits in JUNOS then these attributes will compliment that policy and in my view giving the user the control in ACS to control user permissions.. Only a packet capture will show what's really going on, and whether or not Junos is bothered with the option if at all they're being sent via TACACS+ from ACS > On 14 Apr 2015, at 21:17, Justin Seabrook-Rocha <xen...@xenith.org> wrote: > > >> On Apr 14, 2015, at 12:55, Sukhjit Hayre <sukhjit.ha...@googlemail.com> >> wrote: >> >> >> Hi Justin - thanks for the reply >> >> im just a little stumped at why anyone would want to design this using ACS >> in which case, as most the configuration is local on Juniper boxes and not >> at all scalable. >> >> I've replied to Eduardo from the thread who seems to have this working, >> unfortunately i could not replicate his results… > > It’s most useful if you only need to map people into specific groups. I map > every user into tier1, tier2, or tier3, each which a different set of > permissions. I also have a service account group for things like RANCID. ACS > manages authentication against Active Directory/LDAP and tells JunOS which > group the user belongs to (local-username), then the user template manages > permissions. And JunOS still uses TACACS+ for command accounting back to the > ACS box. (Which we then dump into Splunk for log archiving.) > > It works very well for us, and is completely scalable. You only have to > configure a small number of user templates (4 in our case), and have some way > to keep them in sync across devices. > > The only additional feature I would wish for (aside from per-command > authorization which is handled by the user templates) is the ability for > TACACS+/ACS to be able to provide JunOS with the public ssh key of the user > instead of needing to authenticate with a password. > > Justin Seabrook-Rocha > -- > Xenith || xen...@xenith.org || http://xenith.org/ > Jabber: xen...@xenith.org || AIM: JustinR98 > > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp