TACACS+ (tac_plus) with Juniper SRX

By | October 11, 2015

This post shows how to configure a TACACS+ server for system authentication in Juniper SRX with open source tac_plus software.

Juniper SRX configuration
Connect to SRX and enter configure mode
root@SRX-FW% cli
root@SRX-FW> configure
warning: Clustering enabled; using private edit
warning: uncommitted changes will be discarded on exit
Entering configuration mode{primary:node1}[edit]

Add a new TACACS+ server and set its IP address.
root@SRX-FW#set tacplus-server address

Specify the shared secret (password) of the TACACS+ server.
root@SRX-FW#set tacplus-server secret Tacacssecret1

Specify the device’s loopback address as the source address.
root@SRX-FW#set tacplus-server source-address

Set for single connection authentication
root@SRX-FW#set tacplus-server single-connection

Set authentication order
root@SRX-FW# set system authentication-order tacplus
root@SRX-FW# set system authentication-order password

Set accounting logging
root@SRX-FW# set system accounting events login
root@SRX-FW#set system accounting events change-log
root@SRX-FW#set system accounting events interactive-commands
root@SRX-FW#set system accounting destination tacplus

Verify configuration
root@SRX-FW# show system tacplus-server
root@SRX-FW# show system accounting

tac_plus configuration
key = Tacacssecret1
group = srx {
service = junos-exec
local-user-name = root

user = srxadmin {
default service = permit
login = file /etc/passwd
member = srx

Incoming search terms:

  • logs tacacs & srx
  • tacacs accounting bme0 interface juniper