TACACS+ daemon and Junos

14 06 2017

Axians Professional Services normally recommends using RADIUS authentication to our customers, but one of our customers uses TACACS.  We did some type-approval testing of new Junos release for them recently and had to set up a TACACS+ daemon in the lab to make sure authentication still worked following the upgrade. very helpfully provide a TACACS+ implementation that you can download to a Linux host for this purpose, but the documentation is a bit light on their website, and what you find using Google is naturally somewhat Cisco-specific.  So here are some notes on getting a basic setup going with Shrubbery’s tac_plus daemon and Junos.  Maybe this will help someone else.

Read the rest of this entry »


Issuing Junos Commands Using Ansible raw Module

26 10 2016

If you want to issue something quick on a lot of devices, you don’t need to write a whole Ansible playbook to do that.  In fact you don’t really need the Junos module installed.

Ansible expects there to be Python on the managed device.  As you can read in this PacketPushers blog, it pushes the module out to the device and tries to execute it there.  Junos is going to get on-box Python at some point, but right now that’s roadmap (or SOPD if you must). Read the rest of this entry »

Ansible and Junos Notes

18 10 2016

I’m working on a project to push out configs to Juniper devices and upgrade them if necessary. Ultimately it will be vendor-independent.  In the first instance I thought about writing it all in Python, but there’s really no need because quite a lot of legwork has already been done for you in the form of ‘PyEz’ and the Junos Ansible core modules.

Juniper give you a few examples to get you started, but don’t really explain what each of the lines in the YAML file does, but I guess they expect you to figure that out.  Below are a few notes on things I discovered – perhaps obvious to some, but they might help someone else. Read the rest of this entry »

Freeradius setup on Ubuntu 14.04

22 01 2016

Frustrated with a dilapidated installation of Freeradius 1.x in our lab, and conscious that it is unsupported any more, I decided to install a new Freeradius server.

Ubuntu 14.04.3 LTS is the platform I am installing it on, and this is a relatively fresh installation of Ubuntu server.   It needs to serve access-requests from a Redback and a Juniper router in our lab for both PPP and DHCP clients.

Read the rest of this entry »

Suppressing contributors to an aggregate route

5 11 2014

This was a new one on me – in the past I have always advertised an aggregate route and then written policy to match the contributing routes so that they can be suppressed.  It turns out there’s an easier way to do this:

Read the rest of this entry »

Protecting Junos config

23 09 2014

In the middle of a migration, and I just discovered the ability to protect parts of the Junos configuration from modification by other users. Could be quite useful!

root@VMX1# show system services
root@VMX1# protect interfaces
root@VMX1# show interfaces
## protect: interfaces
ge-0/0/0 {
description "LINK TO VMX0";
mtu 2000;
encapsulation flexible-ethernet-services;
unit 10 {
vlan-id 10;
family inet {
root@VMX1# set interfaces ge-0/0/1 description "LINK TO NOWHERE"
warning: [interfaces] is protected, 'interfaces ge-0/0/1' cannot be created

NTP in the lab

6 12 2012

Currently trying to get NTP to sync, but failing at present.  My Juniper MX is showing that it isn’t in sync, while the host it should be syncing with is showing as being ok.  There is IP reachability between the two and no firewall in the way.  Back to head-scratching for a bit, I think…

In the process I came across this site, which has a good description of NTP on Linux…