Summary:
Today i found myself in a situation where i have to add some juniper switches (EX4200s and EX4500s) to our TACACs+ server, for the switches where the remote access IP was configured on the management interface (me0) or any other interface but accessible from the global routing table (inet.0) i didn't face any issues.
However, for switches were the operation and maintenance IP was configured within a routing instance, i had issues because there is no routing-instance specific configuration for TACACs+
TACACs+ server has to be reachable from the global routing table.
Problem or Goal:
Configuring TACACs on a switch with routing instances and VRFs
Cause:
TACACs+ server has to be reachable from the global routing table.
Solution:
Instead of using vlan routed interfaces or the normal interfaces bound to a routing instance, use the management interface (me0).
Juniper has an interface dedicated for management that uses the control plane and is useful for out-of-band management.
Example:
If you have virtual chassis enabled:
set interfaces vme unit 0 family inet address 10.172.2.2/24
if you are working on a single switch without virtual chassis:
set interfaces me0 unit 0 family inet address 10.172.2.2/24
You will need to connect the MGT interfaces to your LAN network.
You also need to add this part of configuration on the switch according to your TACACs server details:
set system login user remote full-name "Tacacs+ System User"
set system login user remote uid xxxx
set system login user remote class super-user
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server 10.0.X.X port 49
set system tacplus-server 10.0.X.X secret tacacs_secret_key
set system tacplus-server 10.0.X.X single-connection
set system tacplus-server 10.0.X.X source-address 10.172.2.2
set system accounting events [ change-log interactive-commands login ] destination tacplus server 10.0.X.X
Don't forget to create a failover local login incase TACACs+ is offline:
set system login user admin uid xxxx
set system login user admin class super-user
set system login user admin authentication plain-text-password
Problem Solved?
Yes
No comments:
Post a Comment