[c-nsp] Re: TACACS+ authentication

[Oliver Boehmer (oboehmer)]

Kanagaraj Krishna <> wrote on Wednesday, January 25, 2006 9:16 AM:

> Hi,
>      I'm currently using the shrubbery TACACS+ server. My network
> consist of different vendor equipments (Cisco, Juniper and Extreme).
> I want to standardize the login for all the equipments (one login for
> all equipments). I have a few questions:   
> 
> - How can I make TACACS+ differentiate the type of devices because
>   the username & password will be the same? Using the telnet ip
> address i assume, but not sure how to do it. If there are other
> alternatives please share. For an example i set a login for a juniper
> router, but i could use it to login into my cisco as well   (which is
> not right, because there are different authorization settings for
> JUNOS and IOS).     
> 
> - How can I configure such that, when a person logs into a Cisco
>    router it automatically goes into a specific privilege (enable)
> level? I want to save the hassle of having the user entering another
> password into enable mode.  

You can use the script-based authorization to do this, i.e. you
configure

group = auth1 {
    after authorization "/usr/local/bin/post_authorize $user $name $port
$address"
}

Within the script, you can then select attributes based on the passed
parameters (like nas name or nas ip address). You just echo the
attributes to stdout, and the tac_plus server picks them up and sens
them as part of his reply. For example (from memory, haven't used this
in a long time):

#!/bin/sh

address=$4

case $address in
  1.2.3.4|1.2.3.5)
	# Cisco
	echo "priv-lvl=15"
	;;
  1.2.4.4|1.2.4.5)
	# JunOS
	echo "foo=bar"
	;;
esac

exit 0

hope it helps..

	oli