8/16/22, 10:24 AM [SRX] How to configure TACACS+ authentication on SRX platforms

Home Knowledge Quick Links Log in

[SRX] How to configure TACACS+ authentication on SRX

platforms

Article ID KB17269 Created 2010-04-28

Last Updated 2020-02-27

Description

This article provides information on how to set up the SRX platforms to use TACACS+ authentication.

Symptoms

Assuming that the TACACS+ authentication server is already deployed, the process is divided into three steps:

 
I. Configure the TACACS+ authentication on the SRX device.
II. Create a local user template for TACACS+ authenticated users to inherit the privileges from.
III. Map the local user template to the TACACS+ user accounts (optional).

Solution

Step I: Configure the TACACS+ authentication on the SRX device :

1. Gather the details of the TACACS+ authentication server (such as the IP address, port number, and key)
and configure the SRX device to connect to it. For example, here is the command, which is required in the
CLI configuration mode, to connect to a TACACS+ server with the IP address of 10.3.202.129 and secret of
<password> :

set system tacplus-server 10.3.202.129 secret <password>

Note: For more options, such as specifying port number, source address, and so on, refer to  Configuring
TACACS+ Authentication
2. Change the authentication order of the SRX device to use TACACS+ first:

set system authentication order [tacplus password]

 
Step II: Create a local user template for the TACACS+ authenticated users to inherit the privileges from :
When you are using TACACS+ authentication, you can create single accounts for authorization purposes,
which are shared by a set of users. You can create these accounts by using the remote and local user template
accounts. When a user is using a template account, the command-line interface (CLI) username is the login
name; however, the privileges, file ownership, and effective user ID are inherited from the template account.

A remote user template is defined by the remote user name under [system login] . A local user template can be

https://supportportal.juniper.net/s/article/SRX-How-to-configure-TACACS-authentication-on-SRX-platforms?language=en_US 1/5
8/16/22, 10:24 AM [SRX] How to configure TACACS+ authentication on SRX platforms

of any name. The difference between a normal user account and a user template on the SRX device is that the
user template does not have a password specified. By default, Junos OS uses remote template accounts for user
authorization when:
The authenticated user does not exist locally on the router or switch.
The authenticated user’s record in the authentication server specifies local user; but it does not exist
locally on the router or switch.

 
To configure the remote template account, include the user remote statement at the [edit system login]
hierarchy level and specify the privileges, which you want to grant to remote users:

[edit system login]

user remote {

    full-name "All remote users";

    uid uid-value;

    class class-name;

For example, to create the default remote account that maps to TACACS+ authenticated users and assign them
to the operator class, type the following line in the configuration:

set system login user remote full-name "All remote users" uid 2012 class
operator

 
Step III: Map the local user template to the TACACS+ user accounts (optional) :
If you want to have more granularity for the privileges allowed for different subsets of TACACS+ users, you can
define different local user templates on the SRX device and configure the TACACS+ server to return the
vendor-specific attribute ( local-user-name ) with the matching user template name. For example, you want to
have two user templates, one for super-use privileges and the other for view-only, you can specify this in the
configuration:

set system login user remote-super-users full-name "User template for remote
super-users" uid 2013 class super-user

set system login user remote-read-only full-name "User template for remote read-
only" uid 2014 class read-only

On the TACACS+ side, for example, you want to give  User1  super-user privileges and User2  read-only
privileges, the TACACS+ configuration would look similar to the following one:

https://supportportal.juniper.net/s/article/SRX-How-to-configure-TACACS-authentication-on-SRX-platforms?language=en_US 2/5
8/16/22, 10:24 AM [SRX] How to configure TACACS+ authentication on SRX platforms

user = User1 {

    login = cleartext User1's_password

    service = junos-exec {

        local-user-name = remote-super-users

    }

user = User2 {

    login = cleartext User2's_password

    service = junos-exec {

        local-user-name = remote-read-only

    }

Example :
The following snipped is from the TACACS+ authentication configuration on both the SRX device and the
TACACS+ server. It highlights the differences between the remote and local user template and how they relate
to each other:

SRX  Configuration :

# Authentication order with TACACS+ first and the server details

set system authentication-order tacplus

set system authentication-order password

set system tacplus-server 10.3.202.129 secret <password>

# Remote user template mapped to pre-defined "operator" class

set system login user remote full-name "Default remote user template"

set system login user remote uid 100

set system login user remote class operator

# Local user template mapped to pre-defined "super-user" class

set system login user remote-su full-name "Remote users with super-user
privileges"

set system login user remote-su uid 101

set system login user remote-su class super-user

TACACS+ Configuration :

https://supportportal.juniper.net/s/article/SRX-How-to-configure-TACACS-authentication-on-SRX-platforms?language=en_US 3/5
8/16/22, 10:24 AM [SRX] How to configure TACACS+ authentication on SRX platforms

# Secret used between the SRX device and TACACS+

key = <password>

# User1 is configured to inherit the default remote user template

# Therefore, the "local-user-name" attribute is not needed here

user = User1 {

login = cleartext User1's_password

# User2 is set to inherit super-user privileges on the SRX device and is therefor
user = User2 {

login = cleartext User2's_password

service = junos-exec {

local-user-name = remote-su

Example of CLI authorization which uses the above configuration :

User1@router> show cli authorization

Current user: 'remote' login: 'User1' class 'operator'

Permissions:

clear -- Can clear learned network info

network -- Can access the network

reset -- Can reset/restart interfaces and daemons

trace -- Can view trace file settings

view -- Can view current values and statistics

Individual command authorization:

Allow regular expression: none

Deny regular expression: none

Allow configuration regular expression: none

Deny configuration regular expression: none

User2@router> show cli authorization

Current user: 'remote-su' login: 'User2' class 'super-user'

Permissions:

admin -- Can view user accounts

admin-control-- Can modify user accounts

clear -- Can clear learned network info

configure -- Can enter configuration mode

control -- Can modify any config

edit -- Can edit full files

field -- Can use field debug commands

floppy -- Can read and write the floppy

interface -- Can view interface configuration

interface-control-- Can modify interface configuration

https://supportportal.juniper.net/s/article/SRX-How-to-configure-TACACS-authentication-on-SRX-platforms?language=en_US 4/5
8/16/22, 10:24 AM [SRX] How to configure TACACS+ authentication on SRX platforms

For more information, refer to the following links:

 
Configuring TACACS+ Authentication
Configuring Remote Template Accounts for User Authentication
Configuring Local User Template Accounts for User Authentication

Modification History
2020-02-20: Removed EOS J-series references

2020-02-19: minor non-technical edits; updated links.

Related Information
Configuring TACACS+ Authentication

AFFECTED PRODUCT SERIES / FEATURES

People also viewed

https://supportportal.juniper.net/s/article/SRX-How-to-configure-TACACS-authentication-on-SRX-platforms?language=en_US 5/5