[c-nsp] Alternatives to Cisco's TACACS server?

Rich Davies rich.davies at gmail.com
Mon Nov 24 11:02:57 EST 2008


Here is an example CatOS config for TACACS auth.  It's been awhile since I
used a CatOS device however if I remember correctly this config was
structured so that if the device can't talk to the TACACS server it would
fail back to a local userid (by using "if-authenticated" in the
#authorization section).


#tacacs+
set tacacs server 1.1.1.1 primary
set tacacs server 2.2.2.2
set tacacs key [tacacs key]

#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary

#accounting
set accounting exec enable stop-only tacacs+
set accounting connect enable stop-only tacacs+
set accounting system enable stop-only tacacs+
set accounting commands enable all stop-only tacacs+

#authorization
set authorization exec enable tacacs+ if-authenticated console
set authorization exec enable tacacs+ if-authenticated telnet
set authorization enable enable if-authenticated none console
set authorization enable enable if-authenticated none telnet
set authorization commands enable all if-authenticated none console
set authorization commands enable all if-authenticated none telnet


Hope it helps.

-Rich


On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch
<christian at broknrobot.com>wrote:

> on a side note -
>
> has anyone had any success getting older catos switches and enable
> mode to work with the newer versions of tacplus?
>
> christian
>
> On Mon, Nov 24, 2008 at 10:41 AM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
> > Hi,
> >
> >> The fork based on Cisco's code over at shrubbery has worked out well for
> me.
> >>
> >>
> >> http://www.shrubbery.net/tac_plus/
> >
> > agreed. also note, theres been hints of TACACS+ being part of
> > future FreeRADIUS capability for some time too.
> >
> > alan
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list