Hi Tom Thanks for the reply I was expecting that adding a user and password on the tacacs server and adding server related parameters on the device will be enough such as on Cisco ? why should I configure a user on the router itself ?!
BR, Mohammad On Sun, Sep 16, 2012 at 6:02 PM, Tom Storey <[email protected]> wrote: > FWIW here is my TACACs and related config. You need a little bit more > than just the tacplus-server stanza itself, e.g. the "remote" user. > > > system { > authentication-order [ tacplus password ]; > tacplus-server { > 172.25.150.26 { > secret "..."; ## SECRET-DATA > timeout 5; > source-address 172.25.150.1; > } > } > accounting { > events [ login change-log interactive-commands ]; > destination { > tacplus; > } > } > login { > class rescue { > idle-timeout 30; > permissions all; > } > user remote { > full-name "Remote user template"; > uid 2002; > class rescue; > } > user rescue { > full-name "Rescue account"; > uid 2000; > class rescue; > authentication { > encrypted-password "...."; ## SECRET-DATA > } > } > } > } > > Something like the "rescue" user is probably also a good idea, if your > TACACs server is ever unreachable you will want a "back door" to log > in with. > > Tom > > > On 16 September 2012 15:38, Tom Storey <[email protected]> wrote: > > When you set the password on the Juniper, did you by any chance > > enclose the password text in "", e.g. "password" ? > > > > If you did, the "" is encoded as part of the password, rather than > > suggesting "everything inside quotes is the password" like it does > > with other things (like interface descriptions.) > > > > I hit that little doozy when I was configuring TACACs for the first > > time, so thought I'd throw it out there. > > > > Tom > > > > > > On 16 September 2012 14:49, Mohammad Khalil <[email protected]> wrote: > >> Hi all > >> I have mx240 , i want to configure tacacs authentication > >> set system authentication-order tacplus > >> set system tacplus-server x.x.x.x port 49 single-connection secret > juniper > >> source-address y.y.y.y > >> > >> Of course the server is reachable from the device > >> I see in the log messages > >> Failed password for mkhalil from 109.107.128.104 port 43262 ssh2 > >> > >> Is there anything missing ? > >> > >> BR, > >> Mohammad > >> _______________________________________________ > >> juniper-nsp mailing list [email protected] > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
