Short howto on Configure Tacacs+ and Rancid on Juniper.

Download Tacacs from : ftp://ftp.shrubbery.net/pub/tac_plus/ also you will need tcp_wrappers for tac_plus to work.

Install tcp_wrappers and tacacs

yum install -y tcp_wrappers
yum install -y tcp_wrappers-devel
yum install -y tcp_wrappers-libs
Download ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz
tar zxvf tacacs+-F4.0.4.15.tar.gz
cd tacacs+-F4.0.4.15
./configure
make
make install

Setup tacacs.conf

key = “secretkey”
accounting file = /var/log/tac_plus
acl = HomeNet {
permit = 10.2.2.1
}
user = rancid {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}
}
user = giany {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}

}

Configure Juniper Tacacs

set system authentication-order [ tacplus password ]

set system tacplus-server 10.2.2.1 secret secretkey
set system accounting events login
set system accounting events interactive-commands
set system accounting destination tacplus
set system login class network permissions network
set system login class network permissions view
set system login user operations full-name “Users with Full Access”
set system login user operations uid 9999
set system login user operations class super-user
set system login user operations authentication encrypted-password “xxx”
set system login user restricted full-name “Restricted”
set system login user restricted uid 2000
set system login user restricted class read-only
set system login user restricted authentication encrypted-password “xxx”

RANCID

# adduser rancid
Download ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.1.tar.gz
# tar zxvf rancid-2.3.1.tar.gz
# cd rancid-2.3.1
# ./configure –prefix=/home/rancid
# su – rancid
# set CVSROOT /home/rancid/var/CVS
# cvs init
# rancid-cvs

.cloginrc

add method 10.2.2.2 ssh

add method 10.100.100.1 ssh
add user olive rancid
add user cisco rancid
add password olive {mypass} {mypass}
add password cisco {mypass} {mypass}

Debug

[rancid@box ~]$ clogin cisco
cisco
spawn ssh -c 3des -x -l rancid cisco
rancid@cisco’s password:
Corp:2>enable
Password:
Corp:2#

[rancid@box ~]$ jlogin olive
olive
spawn ssh -c 3des -x -l rancid olive

WARNING: You are being watched.
rancid@olive’s password:
— JUNOS 7.4R2.6 built 2006-01-20 14:27:46 UTC
rancid@olive.x83.net>

# tail -f /var/log/tac_plus

Mon Aug 4 16:20:37 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=263 process*mgd[7038] cmd=logout
Mon Aug 4 16:26:15 2008 10.100.100.1 rancid tty2 10.100.100.100 start task_id=58 timezone=UTC service=shell
Mon Aug 4 16:26:43 2008 10.100.100.1 rancid tty2 10.100.100.100 stop task_id=58 timezone=UTC service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=28 nas-rx-speed=0 nas-tx-speed=0
Mon Aug 4 16:26:56 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7045] cmd=login
Mon Aug 4 16:27:03 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=8 process*mgd[7045] cmd=logout
Mon Aug 4 16:27:15 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7049] cmd=login

Set idle-timeout so after a while a user will get disconnect:

login
class admin {
idle-timeout 4;
permissions all;
}
user test {
class admin
}

On terminal you will get smth like that:

test@br0> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
Connection closed by foreign host.