I’m sure someone has already documented this somewhere, but here are my usual breadcrumbs.  After pouring through Juniper’s thorough, yet scattered, documentation I finally got my SRX talking to Windows Ad via TACACS+.

I decided to go with TACACS.net, a free (not as in beer, though) command line oriented service that runs on Windows. It’s a very nice program and really cool that it can be downloaded for free. They charge for support, so I guess that’s how they keep the lights on.

  1. Install TACACS.net on a domain controller and configure the software using the XML config files per the docs on the TACACS.net website.  The three main config files are:
    <?xml version="1.0" encoding="utf-8"?>
    <!-- Version 1.2 -->
    <Authentication xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
      <UserGroups>
        <UserGroup>
          <Name>network-admins</Name>
          <AuthenticationType>Windows_Domain</AuthenticationType>   
          <LDAPServer>127.0.0.1:389</LDAPServer>
          <LDAPUserDirectorySubtree>OU=InfoTech,dc=example,dc=com</LDAPUserDirectorySubtree>
          <LDAPGroupName>IT</LDAPGroupName>
          <LDAPAccessUserName>binduser</LDAPAccessUserName>
          <LDAPAccessUserPassword ClearText="monkey" DES=""></LDAPAccessUserPassword>
         </UserGroup>
      </UserGroups>
    </Authentication>
    <?xml version="1.0" encoding="utf-8"?>
    <!-- Version 1.2 -->
    <Authorizations xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
      <Authorizations>
        <Authorization>
          <UserGroups>
            <UserGroup>network-admins</UserGroup>
          </UserGroups>
          <ClientGroups>
            <ClientGroup>CoreRouters</ClientGroup>
          </ClientGroups>
          <Shell>
            <Permit>.*show.*</Permit> <!--This will allow all show commands -->
            <Deny>.*</Deny>           <!--This will deny all other commands -->
          </Shell>
          <Services>
            <Service>
              <Set>service=junos-exec</Set>
              <Set>local-user-name=network-admins</Set> <!--This is a template user on the SRX -->
            </Service>
          </Services>
        </Authorization>
      </Authorizations>
    </Authorizations>

    While the Juniper documentation was helpful in getting started, see Juniper KB17269 for much more lucid specifics on setting up TACACS+.  Also of note is the <Services> section of this file which allows you to specify vendor-specific attributes (VSA), which is crucial for getting this to work with the SRX.

    <?xml version="1.0" encoding="UTF-8"?>
    <!-- Version 1.2 -->
    <!--This is the configuration file for TACACS+ clients. A TACACS+ client, as defined by the RFC, is the client that is
     making a request to the TACACS+ server such as a router, switch, or firewall-->
    <Clients xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
      <ClientGroups>
        <ClientGroup Name="CoreRouters">
          <Secret ClearText="shh-dont-tell" DES=""> </Secret>
          <Clients>
            <Client>10.6.10.1</Client>
          </Clients>
        </ClientGroup>
        <ClientGroup NAME="LOCALHOST"> <!-- This ClientGroup is just for testing -->
          <Secret ClearText="monkey" DES=""> </Secret>
          <Clients>
            <Client>10.6.15.49</Client>
          </Clients>
        </ClientGroup>
      </ClientGroups>
    </Clients>

    After getting everything working, you can use a handy-dandy cli tool TACDES to create DES encrypted password hashes that you can store in the file instead of the plain-text ones.

  2. Now we need to setup TACACS+ on the SRX with just a few configuration lines:
    set system authentication-order [ password tacplus ]
    set system tacplus-server 10.6.15.49 secret ssh-dont-tell
    set system tacplus-server source-address 10.6.10.1
    set system login user network-admins class super-user

And that’s pretty much it for basic TACACS+ setup so that you can login to your SRX with your AD credentials.

One thought on “Configuring TACACS+ on Juniper SRX and Windows Active Directory

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s