Misc TACACS+ questions
6 07 2011I’ve received a couple of comments posing questions, but they’ve been hiding out on the “About” page. I’m going to move them to this post so others can see and answer.
This is hopefully where new questions can be posed.
Hello Dan I’m a student at the IT UNIVERSITY and for my license I need to create and configure a TACACS Server can I get your e-mail please for some informations? Thank you.
Hello, does doauth work with junos ? i try but it does not and even so when i use after authorization in tacplus.conf it’s make service = junos-exec stop to work can you pleas advices , i am not sure if junos can work in authorization per command or it’s happen only once after authentication
Thanks MSamir
Hi john,
I work for an MPLS provider. We are running tac_plus F4.0.4.19 an have encountered a problem where after configuring a privilege level 10 user – he is unable to execute ping with source from a CE router. Below are the configs on the server
# test user group group = test { default service = deny service = exec { priv-lvl = 10 } cmd = show { permit access-lists } cmd = show { permit cef } cmd = show { permit class-map } cmd = show { permit policy-map } cmd = show { permit clock } cmd = show { permit interfaces } cmd = show { permit route-map } cmd = show { permit vlan } cmd = show { permit controllers } cmd = show { permit ip } cmd = ping { permit .* } cmd = ping { permit ip } cmd = exit { permit .* } cmd = quit { permit .* } }test user
user = test { member = dhl login = PAM } The rights for the above user should be limited to the above configs in addition to allowing ping with source command. Appreciate if you can provide some insights into solving our issue.
Thanks in advance
hello i have a problem on how to make a backup of the tacacs.log file in a disk on my server i am using centos 5, and also i would like to change the tacacs default port 49 and use another port .can you help me plz with theser 2 questions?
Thank you
Theres good documentation that comes with the tacplus package from Shrubbery – I suggest you start there
http://www.shrubbery.net/tacplus/
They also have a mailing list with very good support (particularly for well thought out questions)
I think you need to make the ping command a different level:
conf t privilege exec level 10 ping
Hey John Banging my head against this, hope you can help. In the simplest terms, I’d like to set up some users to be privileged on some switches, but unprivileged on others (ie anything but config term). I’ve tried to create a permit acl for each group of switches, then applied those acls to one of 2 groups (a privileged and a non-privileged group), then tried to assign a user to both groups. Since that wasn’t allowed, then I tried to create a super group containing both groups, and assign my user to the super group, but that didn’t work either. Is there a simple way to make it so a user has different privileges on different devices? Barnaby
Hi Barnaby See the do_auth stuff that Dan has posted about. That’s your best bet
christophe – putting a backup script in logrotate is one option: http://www.scriptinstallation.in/logrotate.html
Why would you want to change the default port? I don’t believe I’ve ever seen the option to specify the port number on network devices. In any case, the -p command line option to tac_plus allows you to specify the port to listen on.
Can someone point me in the direction where I can find the steps to configure my FreeBSD to authenticate to TACACS+.
http://joe-ma-how-to.blogspot.com/2008/05/tacacs-install-and-config-guide.html
JPAYNE,
This site shows how to setup a TACACS server on FreeBSD I want my FreeBSD to authenticate to a TACACS server running on a Cisco appliance, and I am looking the steps to do so, maybe syntax for tacplus.conf and the /etc/pam.d/ files
“http://joe-ma-how-to.blogspot.com/2008/05/tacacs-install-and-config-guide.html”
Ah, sorry. There’s some links on http://www.shrubbery.net/tac_plus/. If that’s not enough, there’s a strong body of knowledge on the mailing list.
Is there an in-depth example of doauth.ini? Specifically, what I want to do is a commanddeny for interface loopback0 while allowing all other interfaces to be modified in config mode.
Thanks, Eric
Anybody know what happened to the code in all my posts? It’s completely unreadable, like the endlines all got munged. I haven’t posted much because I didn’t think people used do_auth.
To quickly answer some questions: - I did doauth, not tacplus. TacPlus questions go to the listserv. I advise you not bother John Heasley with questions, nor the list until you have consulted a search engine and the documentation. - Junos – don’t see why not. Going to be getting some, I’ll test it. - Why would you bother with a priv level 10? You’re running tacplus, not radius, put the commands in the tacacs config and use authorization. - You don’t need doauth to deny access to lo0, but I think it’s easier. Add interface loopback 0 to the commanddeny statement, and interface.* to the command permit.