[c-nsp] Alternatives to Cisco's TACACS server?

raymondh (NSP) raymondh.nsp at gmail.com
Mon Nov 24 11:27:53 EST 2008


You'll just need to fix your expressions in your tacacs config.

e.g. cmd = set  { permit "^blah blah .*" }


--raymondh

On Nov 25, 2008, at 12:16 AM, Christian Koch wrote:

> Rich- thanks and sorry i guess i was a little vague...
>
> i meant to say i am looking for configuration for the tac_plus.conf  
> side
>
> On Mon, Nov 24, 2008 at 11:02 AM, Rich Davies  
> <rich.davies at gmail.com> wrote:
>> Here is an example CatOS config for TACACS auth.  It's been awhile  
>> since I
>> used a CatOS device however if I remember correctly this config was
>> structured so that if the device can't talk to the TACACS server it  
>> would
>> fail back to a local userid (by using "if-authenticated" in the
>> #authorization section).
>>
>>
>> #tacacs+
>> set tacacs server 1.1.1.1 primary
>> set tacacs server 2.2.2.2
>> set tacacs key [tacacs key]
>>
>> #authentication
>> set authentication login tacacs enable console primary
>> set authentication login tacacs enable telnet primary
>> set authentication enable tacacs enable console primary
>> set authentication enable tacacs enable telnet primary
>>
>> #accounting
>> set accounting exec enable stop-only tacacs+
>> set accounting connect enable stop-only tacacs+
>> set accounting system enable stop-only tacacs+
>> set accounting commands enable all stop-only tacacs+
>>
>> #authorization
>> set authorization exec enable tacacs+ if-authenticated console
>> set authorization exec enable tacacs+ if-authenticated telnet
>> set authorization enable enable if-authenticated none console
>> set authorization enable enable if-authenticated none telnet
>> set authorization commands enable all if-authenticated none console
>> set authorization commands enable all if-authenticated none telnet
>>
>>
>> Hope it helps.
>>
>> -Rich
>>
>>
>> On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch <christian at broknrobot.com 
>> >
>> wrote:
>>>
>>> on a side note -
>>>
>>> has anyone had any success getting older catos switches and enable
>>> mode to work with the newer versions of tacplus?
>>>
>>> christian
>>>
>>> On Mon, Nov 24, 2008 at 10:41 AM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
>>>> Hi,
>>>>
>>>>> The fork based on Cisco's code over at shrubbery has worked out  
>>>>> well
>>>>> for me.
>>>>>
>>>>>
>>>>> http://www.shrubbery.net/tac_plus/
>>>>
>>>> agreed. also note, theres been hints of TACACS+ being part of
>>>> future FreeRADIUS capability for some time too.
>>>>
>>>> alan
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list