[c-nsp] Re: TACACS+ authentication

Kanagaraj Krishna kanagaraj at aims.com.my
Thu Jan 26 03:37:17 EST 2006


Can i use this way to specify the group membership as well?

This is the scenario
- I have 3 types of group for cisco based equipment
- I have 3 types of group for juniper based equipment
- 1 unique user login for each user to access all equipments based on the
assigned group

The issue is when a person log into a device..................the TACACS+
server needs to know the type of equipment (Cisco or Juniper) and then use
the settings for specific group. Any idea? Its getting very confusing to
setup according to these requirements.Need as much help as possible.

Thanks,
Kana



----- Original Message -----
From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
To: "Kanagaraj Krishna" <kanagaraj at aims.com.my>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, January 25, 2006 6:13 PM
Subject: RE: [c-nsp] Re: TACACS+ authentication


> Kanagaraj Krishna <> wrote on Wednesday, January 25, 2006 9:16 AM:
>
> > Hi,
> >      I'm currently using the shrubbery TACACS+ server. My network
> > consist of different vendor equipments (Cisco, Juniper and Extreme).
> > I want to standardize the login for all the equipments (one login for
> > all equipments). I have a few questions:
> >
> > - How can I make TACACS+ differentiate the type of devices because
> >   the username & password will be the same? Using the telnet ip
> > address i assume, but not sure how to do it. If there are other
> > alternatives please share. For an example i set a login for a juniper
> > router, but i could use it to login into my cisco as well   (which is
> > not right, because there are different authorization settings for
> > JUNOS and IOS).
> >
> > - How can I configure such that, when a person logs into a Cisco
> >    router it automatically goes into a specific privilege (enable)
> > level? I want to save the hassle of having the user entering another
> > password into enable mode.
>
> You can use the script-based authorization to do this, i.e. you
> configure
>
> group = auth1 {
>     after authorization "/usr/local/bin/post_authorize $user $name $port
> $address"
> }
>
> Within the script, you can then select attributes based on the passed
> parameters (like nas name or nas ip address). You just echo the
> attributes to stdout, and the tac_plus server picks them up and sens
> them as part of his reply. For example (from memory, haven't used this
> in a long time):
>
> #!/bin/sh
>
> address=$4
>
> case $address in
>   1.2.3.4|1.2.3.5)
> # Cisco
> echo "priv-lvl=15"
> ;;
>   1.2.4.4|1.2.4.5)
> # JunOS
> echo "foo=bar"
> ;;
> esac
>
> exit 0
>
> hope it helps..
>
> oli
>



More information about the cisco-nsp mailing list