Cisco Secure Access Control Server for Windows

Shell Command Authorization on Juniper Router with ACS Configuration Example

Document ID: 110895

Updated: Sep 21, 2009



This document provides a sample configuration on Shell Command Authorization sets in Cisco Secure Access Control Server (ACS) for Juniper Router, a third party vendor, with TACACS+.

Refer to Setting Juniper RADIUS Parameters for a User in order to configure and enable Juniper RADIUS attributes to apply as an authorization for the current user.



This document assumes that the basic configurations are set in both AAA clients and ACS.

  1. In ACS, choose Interface Configuration > Advanced Options.

  2. Ensure that the Per-user TACACS+/RADIUS Attributes check box is checked.

Components Used

The information in this document is based on the Cisco Secure Access Control Server (ACS) that runs the software version 4.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to the Cisco Technical Tips Conventions for more information on document conventions.


TACACS+ Configurations

Command authorization sets provide a central mechanism to control the authorization of each command that is issued on any given network device. This feature greatly enhances the scalability and manageability required to set authorization restrictions.

Juniper Command Authorization Sets require that the TACACS+ command authorization request identify the service as junos-exec.

In order to configure and enable Juniper attributes to apply as an authorization for the current user, complete these steps:

  1. Add the Juniper routers under Network Configuration > AAA clients > Add Entry with TACACS+ (CISCO IOS) as the authentication protocol and with the correct ip address where they source their requests and the matching shared-secret key.


  2. Choose Interface Configuration > TACACS+ (CISCO IOS). Under New Services, enable the junos-exec services either per user, per group or both. It is recommended to do this per user if you want to allow different values on a per user basis (X, Y, Z, XY).


  3. Go to the group/user setup and find this newly created service under TACACS+ settings. Check the option for junos-exec and the option for Custom Attributes. Enter the values of this service for each user per this image:


    For X user account you will need to enter the following attributes:
    local-user-name = sales 
    allow-commands = "configure" 
    deny-commands = "shutdown" 
    For Y user account you will need to enter:
    local-user-name = sales 
    allow-commands = "(request system) | (show rip neighbor)" 
    deny-commands = "<^clear" 
    For Z user acccount:
    local-user-name = engineering 
    allow-commands = "monitor | help | show | ping | traceroute" 
    deny-commands = "configure" 
    Finally, for XY user account:
    local-user-name = engineering 
    allow-commands = "show bgp neighbor" 
    deny-commands = "telnet | ssh"

Related Information

Updated: Sep 21, 2009
Document ID: 110895