Re: [nsp] enquiry on tacas

From: Eric Chan (bigeric@hknet.com)
Date: Wed Jan 31 2001 - 21:18:55 EST


should i need to install this new tac_plus to implement my desired feature,
i just want to assign certain user different right for different router,
for example, i want user A to have full right on router A, but only "show"
command right on router B, is it ok with your suggestion. however, i don't
want to use two tacaus.

thank you very much

eric

----- Original Message -----
From: "Rich Sena" <ras@poppa.thick.net>
To: "Eric Chan" <bigeric@hknet.com>
Cc: "Roy" <garlic@garlic.com>; <cisco-nsp@puck.nether.net>
Sent: Wednesday, January 31, 2001 9:00 PM
Subject: Re: [nsp] enquiry on tacas

>
> Yes you can do all this Eric...
>
> First, download the following...
>
> tac_plus.F4.0.4.alpha+acl+libwrap.tar.gz you can get this from
> http://www.shrubbery.net/tac_plus
>
> This has a few neccessary features all ready set in the Makefile (acl
> support, tcp wrappers support,...)
>
> Then you need to add this...
>
> <excerpt from tacplus-l>
> If you mean you want it to use the shadow library (use both password and
> shadow in conjunction), then you have to compile tac_plus with
> SHADOW_PASSWORDS enabled; look in tac_plus.h and put a
>
> #define SHADOW_PASSWORDS
>
> inside the #ifdef LINUX section and then compile tac_plus with make.
>
> If you want to make tac_plus read ONLY the /etc/shadow file, it will not
> work, because the /etc/shadow file has more than 6 colons in each entry,
> and you shouldn't change the structure of your shadow file (?). Tac_plus
> without SHADOW_PASSWORDS support is in fact expecting the old-style
> password file format that contained encrypted passwords (6 colons
> only). Also note, tac_plus can't read the system /etc/shadow file
> directly
> unless it is run as root.
>
> </excerpt from tacplus-l>
>
> Then compile the little bugger and you should be smokin...
>
> Hope that helps...
>
>
> On Jan 31, 2001 Eric Chan reported:
>
> > i know, but i have enable the debug mode on my router, the av
attribute
> > send to tacaus is only
> > service, username, and command input, but not ip address
> >
> >
> > ----- Original Message -----
> > From: "Roy" <garlic@garlic.com>
> > To: "Eric Chan" <bigeric@hknet.com>
> > Cc: <cisco-nsp@puck.nether.net>
> > Sent: Wednesday, January 31, 2001 3:49 PM
> > Subject: Re: [nsp] enquiry on tacas
> >
> >
> > >
> > > I know you can do it with radius. You use the IP address that is
> > requesting
> > > the authentication as part of the check items in determining to
> > authenticate
> > > and what parameters to send back
> > >
> > >
> > >
> > >
> >
>
> --
> Rich Sena - ras@thick.net
> ThickNET Consulting
> "On the way to understanding; you understand, and forget."
>
>
>
>
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:27 EDT