Managing ScreenOS firewalls with TACACS+

This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post.


ScreenOS 6.0+ users may have noticed that you can now configure TACACS+ servers to authenticate admin users. I’ll skip over the details, except to say that as of 6.1.0r3, failover isn’t working to either of the backup servers that you can configure, so use with care.
Also note that this is authentication only, no accounting or authorization (except for privilege levels).

ScreenOS needs a specific service in TACACS+ to authenticate. You can put this in a group or user stanza:

service = netscreen {
vsys = root
privilege = read-write

The vsys specifies which vsys that user is allowed to. If you only have one, it’s “root”.
privilege can be read-write, read-only or root. As far as I can tell, root allows you to manage local users and mess with nsrp. Otherwise read-write gets most things done. If you’re specifying a non-root vsys, you can also assign vsys-read-write or vsys-read-only as privileges.