Setting Up TACACS+ User Authentication

Problem

You want to use a TACACS+ server to authenticate people who log in to the router.

Solution

Configure information about your TACACS+ server:

[edit system] aviva@router1# set tacacs-server 192.168.62.10 secret $1991poppI aviva@router1# show tacacs-server { 192.168.62.10 secret "$9$90m6AO1EcyKWLhcYgaZji"; ## SECRET-DATA }

Discussion

TACACS+ is a newer version of the older TACACS authentication software. Like RADIUS, TACACS+ uses a client/server model, with the router being the client. All transactions between the server and the client are authenticated by a shared secret.

The JUNOS configuration for TACACS+ is almost identical to that for RADIUS. You set the IP address of your TACACS+ server and the password (secret) that the router should use to access the server. The secrets on the router and the server must match. For redundancy, you can configure multiple servers.

There are also JUNOS-specific TACACS+ attributes that you can configure on the TACACS+ server. These attributes are named local-user-name, allow-commands, deny-commands, allow-configuration, and deny-configuration and have the same description, length, and string as the parallel RADIUS attributes (see Table 2-2).