[c-nsp] Re: TACACS+ authentication
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Thu Jan 26 05:55:47 EST 2006
Kanagaraj Krishna <mailto:kanagaraj at aims.com.my> wrote on Thursday,
January 26, 2006 9:37 AM:
> Can i use this way to specify the group membership as well?
I don't know the shrubbery T+ server, so don't know if you can assign
the group within a script.
> This is the scenario
> - I have 3 types of group for cisco based equipment
> - I have 3 types of group for juniper based equipment
> - 1 unique user login for each user to access all equipments based on
> the assigned group
>
> The issue is when a person log into a device..................the
> TACACS+ server needs to know the type of equipment (Cisco or Juniper)
and
> then use the settings for specific group. Any idea? Its getting very
confusing
> to setup according to these requirements.Need as much help as
possible.
Well, the server gives you the hooks (i.e. before/after authorization
scripts) to install whatever logic you desire, and based on the exit
code of the script you can permit access with the appropriate
attributes, or deny access (rather: you deny authorization).
So you need to come up with a script logic fitting your need. I know of
folks putting a complex database behind it, so this can be as easy or as
complicated as you wish.
I think there are commercial servers around (including our Cisco Secure
Server) which could provide the necessary functionality so you don't
have to write the script on your own (but maybe there are folks
listening on this list offering this for $$)..
oli
More information about the cisco-nsp
mailing list