TACACS+ (tac_plus) with Juniper SRX

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Juniper SRX configuration
Connect to SRX and enter configure mode
root@SRX-FW% cli
{primary:node1}
root@SRX-FW> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode{primary:node1}[edit]
root@SRX-FW#

Add a new TACACS+ server and set its IP address.
root@SRX-FW#set tacplus-server address 172.16.98.24

Specify the shared secret (password) of the TACACS+ server.
root@SRX-FW#set tacplus-server 172.16.98.24 secret Tacacssecret1

Specify the device’s loopback address as the source address.
root@SRX-FW#set tacplus-server 172.16.98.24 source-address 10.0.0.1

Set for single connection authentication
root@SRX-FW#set tacplus-server 172.16.98.24 single-connection

Set authentication order
root@SRX-FW# set system authentication-order tacplus
root@SRX-FW# set system authentication-order password

Set accounting logging
root@SRX-FW# set system accounting events login
root@SRX-FW#set system accounting events change-log
root@SRX-FW#set system accounting events interactive-commands
root@SRX-FW#set system accounting destination tacplus

Verify configuration
root@SRX-FW# show system tacplus-server
root@SRX-FW# show system accounting

tac_plus configuration
key = Tacacssecret1
group = srx {
service = junos-exec
{
local-user-name = root
}
}

user = srxadmin {
default service = permit
login = file /etc/passwd
member = srx
}

Incoming search terms:

  • juniper tacacs
  • juniper SRX tacacs configuration
  • Kent

    For Cisco we can configure
    aaa authentication login default local

    How can it be done on Juniper SRX?

    • h4irul

      You just change the authentication order from this cli (or webui)

      root@SRX-FW# set system authentication-order tacplus
      root@SRX-FW# set system authentication-order password

      above command will set the authentication to use tacacs before failing over to local id.