Configuring a TACACS+ Server for Authentication and Authorization
Junos Space Network Management Platform supports authentication and authorization of users from one or more TACACS+ servers. (A combination of TACACS+ and RADIUS servers is also supported.) If you configure multiple servers, they will be tried during authentication in the order listed in the user interface. If the first server accessed is not reachable or there is a shared-secret mismatch, the next one is tried. To understand login behavior with remote authentication enabled, see the Junos Space Login Behavior with Remote Authentication Enabled topic.
Before you authenticate and authorize users to log into Junos Space Platform by using the TACACS+ server, you must make sure that:
You create and configure the TACACS+ remote authentication server in Junos Space Platform (see Creating a Remote Authentication Server).
You create the remote profiles required for authorizing the users in Junos Space Platform (see Creating a Remote Profile).
You create user accounts by using the Role Based Access Control workspace in Junos Space Platform if you want to permit remote authentication and local authorization (see Creating Users in Junos Space Network Management Platform).
Authorization data in the TACACS+ server are stored as attribute-value pairs (AVPs). The AVP contains the name of the remote profile. Therefore, you must configure users in the TACACS+ server with the AVPs corresponding to the remote profiles created in the Junos Space server to represent the user’s roles.
When Junos Space Network Management Platform queries the TACACS+ server for user authorization, the TACACS+ server’s junosspace-exec service returns the remote profile name for that user. Junos Space Network Management Platform determines the user’s role or roles from this response.
To assign roles to the user using the remote profile name, you can configure the network-management-profiles AVP for the junosspace-exec service on the TACACS+ server.
The following example shows how configuration information can be added to the TACACS+ server to assign a remote profile to a user:
user = guestuser { pap = cleartext "<password>" service = junosspace-exec { network-management-profiles = guest_profile } }
For more information about configuring the AVP and assigning a Junos Space remote profile to a user in the TACACS+ server, see the TACACS+ server documentation.