16
03
2011
My first time putting tacacs on a Brocade. Pretty similar to cisco, the tac pairs that cisco use seem to work just fine. Worked great with do_auth. Keep in mind, although they honor priv-15, they map it to 0, just to be different. I used the following:
username admin password yerpasswordhere
ip tacacs source-interface loopback 1
tacacs-server retransmit 2
tacacs-server timeout 2
tacacs-server host yerhosthere
tacacs-server key yerkeyhere
enable super-user-password againpasswordhere
aaa authentication login default tacacs+ enable
aaa authentication login privilege-mode
aaa authentication enable default tacacs+ enable
aaa authorization commands 0 default tacacs+ none
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
enable aaa console
Comments : No Comments »
Categories : Uncategorized
4
03
2011
John McManus has put together a nice walkthrough of authenticating Citrix Branch Receiver via Cisco TACACS+ over on My Etherealmind. Should be fairly straight forward to port to tac_plus with the information provided by John.
Comments : No Comments »
Categories : Uncategorized
2
03
2011
Rancid can be made much more secure by using doauth. A quick example of the doauth.ini file is as follows:
[users]
rancid =
rancidaccess
[rancidaccess]
hostallow =
10.0.0.1
devicepermit =
.*
command_permit =
show.*
dir.*
more.*
write t.*
Now, rancid can only login from 10.0.0.1, and only type commands that match those regular expressions. Technically, you could limit the commands in tacplus.conf without doauth. Might take longer, but you could do it. However, you could not limit it to 10.0.0.1 without an after authorization script such as do_auth.
NOTE: This assumes you only authorize config/Level 15 commands. I never authorize level 1 commands or, heaven forbid, level 0 commands as these commands can not change anything on the router, nor allow you to see the configuration. Now, if YOU choose to do so, the above example will still probably work. A quick look at log.txt will tell you any additional commands you will need to add.
Comments : No Comments »
Categories : Uncategorized
