TACACS+ (tac_plus) with Juniper SRX

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Juniper SRX configuration
Connect to SRX and enter configure mode
[email protected]% cli
[email protected]> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode{primary:node1}[edit]
[email protected]#

Add a new TACACS+ server and set its IP address.
[email protected]#set tacplus-server address

Specify the shared secret (password) of the TACACS+ server.
[email protected]#set tacplus-server secret Tacacssecret1

Specify the device’s loopback address as the source address.
[email protected]#set tacplus-server source-address

Set for single connection authentication
[email protected]#set tacplus-server single-connection

Set authentication order
[email protected]# set system authentication-order tacplus
[email protected]# set system authentication-order password

Set accounting logging
[email protected]# set system accounting events login
[email protected]#set system accounting events change-log
[email protected]#set system accounting events interactive-commands
[email protected]#set system accounting destination tacplus

Verify configuration
[email protected]# show system tacplus-server
[email protected]# show system accounting

tac_plus configuration
key = Tacacssecret1
group = srx {
service = junos-exec
local-user-name = root

user = srxadmin {
default service = permit
login = file /etc/passwd
member = srx

Incoming search terms:

  • juniper tacacs
  • aaa srx
  • how to login as tacacs in junos
  • juniper srx configuration
  • srx aaa
  • tacacs with juniper switch
  • Kent

    For Cisco we can configure
    aaa authentication login default local

    How can it be done on Juniper SRX?

    • h4irul

      You just change the authentication order from this cli (or webui)

      [email protected]# set system authentication-order tacplus
      [email protected]# set system authentication-order password

      above command will set the authentication to use tacacs before failing over to local id.