Problem
You want to use a TACACS+ server to authenticate people who log in to the router.
Solution
Configure information about your TACACS+ server:
[edit system] aviva@router1# set tacacs-server 192.168.62.10 secret $1991poppI aviva@router1# show tacacs-server { 192.168.62.10 secret "$9$90m6AO1EcyKWLhcYgaZji"; ## SECRET-DATA }
Discussion
TACACS+ is a newer version of the older TACACS authentication software. Like RADIUS, TACACS+ uses a client/server model, with the router being the client. All transactions between the server and the client are authenticated by a shared secret.
The JUNOS configuration for TACACS+ is almost identical to that for RADIUS. You set the IP address of your TACACS+ server and the password (secret) that the router should use to access the server. The secrets on the router and the server must match. For redundancy, you can configure multiple servers.
There are also JUNOS-specific TACACS+ attributes that you can configure on the TACACS+ server. These attributes are named local-user-name, allow-commands, deny-commands, allow-configuration, and deny-configuration and have the same description, length, and string as the parallel RADIUS attributes (see Table 2-2).
Router Configuration and File Management
Basic Router Security and Access Control
IPSec
SNMP
Logging
NTP
Router Interfaces
IP Routing
Routing Policy and Firewall Filters
RIP
IS-IS
OSPF
BGP
MPLS
VPNs
IP Multicast