[c-nsp] Alternatives to Cisco's TACACS server?
Christian Koch
christian at broknrobot.com
Mon Nov 24 11:16:29 EST 2008
Rich- thanks and sorry i guess i was a little vague...
i meant to say i am looking for configuration for the tac_plus.conf side
On Mon, Nov 24, 2008 at 11:02 AM, Rich Davies <rich.davies at gmail.com> wrote:
> Here is an example CatOS config for TACACS auth. It's been awhile since I
> used a CatOS device however if I remember correctly this config was
> structured so that if the device can't talk to the TACACS server it would
> fail back to a local userid (by using "if-authenticated" in the
> #authorization section).
>
>
> #tacacs+
> set tacacs server 1.1.1.1 primary
> set tacacs server 2.2.2.2
> set tacacs key [tacacs key]
>
> #authentication
> set authentication login tacacs enable console primary
> set authentication login tacacs enable telnet primary
> set authentication enable tacacs enable console primary
> set authentication enable tacacs enable telnet primary
>
> #accounting
> set accounting exec enable stop-only tacacs+
> set accounting connect enable stop-only tacacs+
> set accounting system enable stop-only tacacs+
> set accounting commands enable all stop-only tacacs+
>
> #authorization
> set authorization exec enable tacacs+ if-authenticated console
> set authorization exec enable tacacs+ if-authenticated telnet
> set authorization enable enable if-authenticated none console
> set authorization enable enable if-authenticated none telnet
> set authorization commands enable all if-authenticated none console
> set authorization commands enable all if-authenticated none telnet
>
>
> Hope it helps.
>
> -Rich
>
>
> On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch <christian at broknrobot.com>
> wrote:
>>
>> on a side note -
>>
>> has anyone had any success getting older catos switches and enable
>> mode to work with the newer versions of tacplus?
>>
>> christian
>>
>> On Mon, Nov 24, 2008 at 10:41 AM, <A.L.M.Buxey at lboro.ac.uk> wrote:
>> > Hi,
>> >
>> >> The fork based on Cisco's code over at shrubbery has worked out well
>> >> for me.
>> >>
>> >>
>> >> http://www.shrubbery.net/tac_plus/
>> >
>> > agreed. also note, theres been hints of TACACS+ being part of
>> > future FreeRADIUS capability for some time too.
>> >
>> > alan
>> > _______________________________________________
>> > cisco-nsp mailing list cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list