Comments for TACACS+ stuff http://tacacs.org Casting Light on the Dark Art of TACACS+ Thu, 08 Sep 2011 03:11:00 -0400 http://wordpress.org/?v=2.8.4 hourly 1 Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-2539 helpdeskdan Thu, 08 Sep 2011 03:11:00 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-2539 <p>Sry 4 late reply, didn't see comment. This is easy, put the commands you want to deny in command<em>deny section, and put a .* in command</em>permit.</p> Sry 4 late reply, didn’t see comment. This is easy, put the commands you want to deny in commanddeny section, and put a .* in commandpermit.

]]> Comment on Misc TACACS+ questions by helpdeskdan http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2435 helpdeskdan Fri, 05 Aug 2011 20:55:14 +0000 http://tacacs.org/?p=114#comment-2435 <p>Anybody know what happened to the code in all my posts? It's completely unreadable, like the endlines all got munged. I haven't posted much because I didn't think people used do_auth. </p> <p>To quickly answer some questions: - I did do<em>auth, not tac</em>plus. Tac<em>Plus questions go to the listserv. I advise you not bother John Heasley with questions, nor the list until you have consulted a search engine and the documentation. - Junos - don't see why not. Going to be getting some, I'll test it. - Why would you bother with a priv level 10? You're running tac</em>plus, not radius, put the commands in the tacacs config and use authorization. - You don't need do<em>auth to deny access to lo0, but I think it's easier. Add interface loopback 0 to the command</em>deny statement, and interface.* to the command permit.</p> Anybody know what happened to the code in all my posts? It’s completely unreadable, like the endlines all got munged. I haven’t posted much because I didn’t think people used do_auth.

To quickly answer some questions: - I did doauth, not tacplus. TacPlus questions go to the listserv. I advise you not bother John Heasley with questions, nor the list until you have consulted a search engine and the documentation. - Junos – don’t see why not. Going to be getting some, I’ll test it. - Why would you bother with a priv level 10? You’re running tacplus, not radius, put the commands in the tacacs config and use authorization. - You don’t need doauth to deny access to lo0, but I think it’s easier. Add interface loopback 0 to the commanddeny statement, and interface.* to the command permit.

]]> Comment on Misc TACACS+ questions by Eric Krichbaum http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2419 Eric Krichbaum Mon, 01 Aug 2011 20:46:27 +0000 http://tacacs.org/?p=114#comment-2419 <p>Is there an in-depth example of do<em>auth.ini? Specifically, what I want to do is a command</em>deny for interface loopback0 while allowing all other interfaces to be modified in config mode.</p> <p>Thanks, Eric</p> Is there an in-depth example of doauth.ini? Specifically, what I want to do is a commanddeny for interface loopback0 while allowing all other interfaces to be modified in config mode.

Thanks, Eric

]]> Comment on Easier Tacacs Configurations with do_auth by Ivan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-2414 Ivan Sun, 31 Jul 2011 21:26:32 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-2414 <p>Hi Dan,</p> <p>how can i write only several commands which I want to deny. for example I want to deny those commands: no ip route interface gig 0/0 no aaa authentication login default group tacacs+ local no aaa authorization exec default group tacacs+ if-authenticated really thanks for support. Ivan.</p> Hi Dan,

how can i write only several commands which I want to deny. for example I want to deny those commands: no ip route interface gig 0/0 no aaa authentication login default group tacacs+ local no aaa authorization exec default group tacacs+ if-authenticated really thanks for support. Ivan.

]]> Comment on Misc TACACS+ questions by jpayne http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2387 jpayne Mon, 25 Jul 2011 15:27:02 +0000 http://tacacs.org/?p=114#comment-2387 <p>Ah, sorry. There's some links on <a href="http://www.shrubbery.net/tac_plus/" rel="nofollow">http://www.shrubbery.net/tac_plus/</a>. If that's not enough, there's a strong body of knowledge on the mailing list. </p> Ah, sorry. There’s some links on http://www.shrubbery.net/tac_plus/. If that’s not enough, there’s a strong body of knowledge on the mailing list.

]]> Comment on Misc TACACS+ questions by David http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2385 David Sun, 24 Jul 2011 17:10:02 +0000 http://tacacs.org/?p=114#comment-2385 <p>JPAYNE, </p> <p>This site shows how to setup a TACACS server on FreeBSD I want my FreeBSD to authenticate to a TACACS server running on a Cisco appliance, and I am looking the steps to do so, maybe syntax for tacplus.conf and the /etc/pam.d/ files</p> <p>"http://joe-ma-how-to.blogspot.com/2008/05/tacacs-install-and-config-guide.html"</p> JPAYNE,

This site shows how to setup a TACACS server on FreeBSD I want my FreeBSD to authenticate to a TACACS server running on a Cisco appliance, and I am looking the steps to do so, maybe syntax for tacplus.conf and the /etc/pam.d/ files

“http://joe-ma-how-to.blogspot.com/2008/05/tacacs-install-and-config-guide.html”

]]> Comment on Misc TACACS+ questions by jpayne http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2373 jpayne Thu, 21 Jul 2011 15:25:28 +0000 http://tacacs.org/?p=114#comment-2373 <p>http://joe-ma-how-to.blogspot.com/2008/05/tacacs-install-and-config-guide.html</p> http://joe-ma-how-to.blogspot.com/2008/05/tacacs-install-and-config-guide.html

]]> Comment on Misc TACACS+ questions by David http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2371 David Thu, 21 Jul 2011 13:56:08 +0000 http://tacacs.org/?p=114#comment-2371 <p>Can someone point me in the direction where I can find the steps to configure my FreeBSD to authenticate to TACACS+.</p> Can someone point me in the direction where I can find the steps to configure my FreeBSD to authenticate to TACACS+.

]]> Comment on Misc TACACS+ questions by jpayne http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2331 jpayne Mon, 11 Jul 2011 13:36:15 +0000 http://tacacs.org/?p=114#comment-2331 <p>christophe - putting a backup script in logrotate is one option: http://www.scriptinstallation.in/logrotate.html</p> <p>Why would you want to change the default port? I don't believe I've ever seen the option to specify the port number on network devices. In any case, the -p command line option to tac_plus allows you to specify the port to listen on.</p> christophe – putting a backup script in logrotate is one option: http://www.scriptinstallation.in/logrotate.html

Why would you want to change the default port? I don’t believe I’ve ever seen the option to specify the port number on network devices. In any case, the -p command line option to tac_plus allows you to specify the port to listen on.

]]> Comment on Misc TACACS+ questions by jpayne http://tacacs.org/2011/07/06/misc-tacacs-questions/comment-page-1/#comment-2311 jpayne Fri, 08 Jul 2011 00:49:41 +0000 http://tacacs.org/?p=114#comment-2311 <p>Hi Barnaby See the do_auth stuff that Dan has posted about. That's your best bet :)</p> <ul> <li>John</li> </ul> Hi Barnaby See the do_auth stuff that Dan has posted about. That’s your best bet :)

  • John
]]>