appreciate the advice and you seem to have a nice setup.
I would still refer back to original post, specifically:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/115926-tacacs-radius-devices-00.html
Cisco advise "The values of the allow-commands, allow-configurat
> On Apr 14, 2015, at 12:55, Sukhjit Hayre wrote:
>
>
> Hi Justin - thanks for the reply
>
> im just a little stumped at why anyone would want to design this using ACS in
> which case, as most the configuration is local on Juniper boxes and not at
> all scalable.
>
> I've replied to Eduardo
Hi Justin - thanks for the reply
im just a little stumped at why anyone would want to design this using ACS
in which case, as most the configuration is local on Juniper boxes and not
at all scalable.
I've replied to Eduardo from the thread who seems to have this working,
unfortunately i could not
> On Apr 14, 2015, at 03:36, Sukhjit Hayre wrote:
>
>
> Hi Ivan
>
> Thanks for the additional information.
>
> But the fact remains we only use ACS for authentication and not
> authorisation, I want to be able to use ACS for authorisation control hence I
> need the additional attributes to w
Hi Ivan
Thanks for the additional information.
But the fact remains we only use ACS for authentication and not authorisation,
I want to be able to use ACS for authorisation control hence I need the
additional attributes to work or at least understand why they don't when
support is supposed to
Hi Sukhjit,
The idea with local templates is that you configure couple of them or more
with different privileges. Then using the ACS you control which user which
template to inherit. If you look in the link you will see that those local
templates look like users but they do not have authentication
Hi Ivan
The goal is for ACS to be able to control this otherwise I can argue what's the
point in using ACS at all?
There are attributes which are supposed to be working for which I don't
understand technically why they are not i.e allowed-commands (check the link)
> On 14 Apr 2015, at 10:4
Hi Sukhjit,
Why don't you use local template accounts to accomplish that?
http://www.juniper.net/documentation/en_US/junos13.3/topics/task/configuration/authentication-user-local-template-account-configuring.html
ACS should be able to push 'local-username' attribute via tacacs+.
HTH,
Ivan,
On
yeah I've used this too and depending on the local profile it shows what I
expect it too, but what it doesn't show is minus the ACS attributes if at all I
would see that here...
I think a deeper packet inspection can identify what the messages are saying,
will try to do that at some point
hi Chris
thanks for the reply, actually I did not see any user file in /var/tmp
whilst logged-in im running vSRX firefly 12.1X47-D10.4
On Mon, Apr 13, 2015 at 4:07 PM, Chris Morrow
wrote:
>
>
> On 04/13/2015 11:01 AM, Eduardo Barrios wrote:
> > When I tested this a while back I could not get th
| 3505 Montopolis Dr. | Austin, TX 78744
>
>
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf
> Of Sukhjit Hayre
> Sent: Sunday, April 12, 2015 7:10 PM
> To: juniper-nsp@puck.nether.net
> Subject: [External] [j-nsp] Junip
On 04/13/2015 11:01 AM, Eduardo Barrios wrote:
> When I tested this a while back I could not get the "allow-commands"
> attribute to work. The deny-commands attribute does work however. So
> our ACS shell-profile read only group we had to start with a junos
> login with a super-user class then us
er.net] On Behalf Of
Sukhjit Hayre
Sent: Sunday, April 12, 2015 7:10 PM
To: juniper-nsp@puck.nether.net
Subject: [External] [j-nsp] Juniper authorization with tacacs+
hi all,
having been through multiple threads i.e
http://www.gossamer-threads.com/lists/nsp/juniper/9764#9764
I cannot find a way f
hi all,
having been through multiple threads i.e
http://www.gossamer-threads.com/lists/nsp/juniper/9764#9764
I cannot find a way for Cisco ACS and SRX cluster to allow an account to
have certain privileges
Cisco advise they support the following Juniper attributes for TACACS+:
allow-commands
14 matches
Mail list logo