[c-nsp] Alternatives to Cisco's TACACS server?

Christian Koch christian at broknrobot.com
Tue Nov 25 11:07:09 EST 2008


my problem is the normal  "#enable = 15" does not work for catos as it
does with IOS in the later tac_plus software as it did in the earlier
developed versions



On Mon, Nov 24, 2008 at 11:27 AM, raymondh (NSP) <raymondh.nsp at gmail.com> wrote:
> You'll just need to fix your expressions in your tacacs config.
>
> e.g. cmd = set  { permit "^blah blah .*" }
>
>
> --raymondh
>
> On Nov 25, 2008, at 12:16 AM, Christian Koch wrote:
>
>> Rich- thanks and sorry i guess i was a little vague...
>>
>> i meant to say i am looking for configuration for the tac_plus.conf side
>>
>> On Mon, Nov 24, 2008 at 11:02 AM, Rich Davies <rich.davies at gmail.com>
>> wrote:
>>>
>>> Here is an example CatOS config for TACACS auth.  It's been awhile since
>>> I
>>> used a CatOS device however if I remember correctly this config was
>>> structured so that if the device can't talk to the TACACS server it would
>>> fail back to a local userid (by using "if-authenticated" in the
>>> #authorization section).
>>>
>>>
>>> #tacacs+
>>> set tacacs server 1.1.1.1 primary
>>> set tacacs server 2.2.2.2
>>> set tacacs key [tacacs key]
>>>
>>> #authentication
>>> set authentication login tacacs enable console primary
>>> set authentication login tacacs enable telnet primary
>>> set authentication enable tacacs enable console primary
>>> set authentication enable tacacs enable telnet primary
>>>
>>> #accounting
>>> set accounting exec enable stop-only tacacs+
>>> set accounting connect enable stop-only tacacs+
>>> set accounting system enable stop-only tacacs+
>>> set accounting commands enable all stop-only tacacs+
>>>
>>> #authorization
>>> set authorization exec enable tacacs+ if-authenticated console
>>> set authorization exec enable tacacs+ if-authenticated telnet
>>> set authorization enable enable if-authenticated none console
>>> set authorization enable enable if-authenticated none telnet
>>> set authorization commands enable all if-authenticated none console
>>> set authorization commands enable all if-authenticated none telnet
>>>
>>>
>>> Hope it helps.
>>>
>>> -Rich
>>>
>>>
>>> On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch
>>> <christian at broknrobot.com>
>>> wrote:
>>>>
>>>> on a side note -
>>>>
>>>> has anyone had any success getting older catos switches and enable
>>>> mode to work with the newer versions of tacplus?
>>>>
>>>> christian
>>>>
>>>> On Mon, Nov 24, 2008 at 10:41 AM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>>> The fork based on Cisco's code over at shrubbery has worked out well
>>>>>> for me.
>>>>>>
>>>>>>
>>>>>> http://www.shrubbery.net/tac_plus/
>>>>>
>>>>> agreed. also note, theres been hints of TACACS+ being part of
>>>>> future FreeRADIUS capability for some time too.
>>>>>
>>>>> alan
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list