Comments for TACACS+ stuff http://tacacs.org Casting Light on the Dark Art of TACACS+ Fri, 26 Feb 2010 00:49:45 -0500 http://wordpress.org/?v=2.8.4 hourly 1 Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-533 helpdeskdan Fri, 26 Feb 2010 00:49:45 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-533 DanH - try 'DEFAULT' instead of 'default' in your tac_plus.conf Skip - This code works by commands, not privilege levels. Not that it couldn't be done, I just did not have a need at the time to modify the tac pairs. You could take priv-lvl = 15 out of the config and deny "enable" to the users you don't want to enable. Or, put them in a different group in tac_plus.conf, but that means you now have to modify two configuration files instead of one. The examples above were done in much haste, there might be errors; if other people are actually interested in this, I'll try to fix it up a bit. My current employer doesn't use tac_plus, so I don't have a testing environment any more. DanH – try ‘DEFAULT’ instead of ‘default’ in your tac_plus.conf

Skip – This code works by commands, not privilege levels. Not that it couldn’t be done, I just did not have a need at the time to modify the tac pairs. You could take priv-lvl = 15 out of the config and deny “enable” to the users you don’t want to enable. Or, put them in a different group in tac_plus.conf, but that means you now have to modify two configuration files instead of one.

The examples above were done in much haste, there might be errors; if other people are actually interested in this, I’ll try to fix it up a bit. My current employer doesn’t use tac_plus, so I don’t have a testing environment any more.

]]> Comment on Easier Tacacs Configurations with do_auth by Skip http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-531 Skip Thu, 25 Feb 2010 21:39:25 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-531 Dan, I would like to implement this but have a question first. The way I would like to use it is, default user has no access and then set the privileged user according to their access level. Is there away to do that? Dan,
I would like to implement this but have a question first.
The way I would like to use it is, default user has no access and then set the privileged user according to their access level. Is there away to do that?

]]> Comment on Easier Tacacs Configurations with do_auth by DanH http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-507 DanH Wed, 17 Feb 2010 21:29:53 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-507 This doesn't appear to work with ASA 8.21 for command authorization. It just spits out; 2010-02-17 16:20:29: Error: Option 'default' does not exist in section users in file /etc/tac_plus/do_auth.ini whenever trying to authorize commands. This doesn’t appear to work with ASA 8.21 for command authorization. It just spits out; 2010-02-17 16:20:29: Error: Option ‘default’ does not exist in section users in file /etc/tac_plus/do_auth.ini whenever trying to authorize commands.

]]> Comment on Managing ScreenOS firewalls with TACACS+ by Dan http://tacacs.org/2008/10/16/managing-screenos-firewalls-with-tacacs/comment-page-1/#comment-484 Dan Tue, 09 Feb 2010 16:09:08 +0000 http://blogs.sackheads.org/jpayne/?p=31#comment-484 Failover and Sourced IP is working in 6.3.0R2.0. Failover and Sourced IP is working in 6.3.0R2.0.

]]> Comment on About by fever http://tacacs.org/about/comment-page-1/#comment-454 fever Thu, 14 Jan 2010 03:57:44 +0000 http://blogs.sackheads.org/tacacsplus/?page_id=16#comment-454 Hello Dan I'm a student at the IT UNIVERSITY and for my license I need to create and configure a TACACS Server can I get your e-mail please for some informations? Thank you. Hello Dan I’m a student at the IT UNIVERSITY and for my license I need to create and configure a TACACS Server can I get your e-mail please for some informations? Thank you.

]]> Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-450 helpdeskdan Sat, 09 Jan 2010 00:34:39 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-450 You can't get login = PAM working or can't get do_auth working? do_auth is pretty trivial, getting PAM to work with active directory is much more difficult and I can't help you there. (Have often suggested somebody write a tutorial) Getting the two to work together should not be a problem as after authentication scripts are completely separate from the login process. You can’t get login = PAM working or can’t get do_auth working? do_auth is pretty trivial, getting PAM to work with active directory is much more difficult and I can’t help you there. (Have often suggested somebody write a tutorial) Getting the two to work together should not be a problem as after authentication scripts are completely separate from the login process.

]]> Comment on Easier Tacacs Configurations with do_auth by Jamie http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-449 Jamie Fri, 08 Jan 2010 20:39:50 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-449 I really like this and it would make building a front end simple. My only issue is I use login = PAM and tie authentication back to our Active directory through pam_ldap. Can't seem to get that working here, maybe i am missing something. I really like this and it would make building a front end simple. My only issue is I use login = PAM and tie authentication back to our Active directory through pam_ldap. Can’t seem to get that working here, maybe i am missing something.

]]> Comment on Easier Tacacs Configurations with do_auth by helpdeskdan http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-358 helpdeskdan Mon, 26 Oct 2009 23:54:20 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-358 Level 1? The levels you authorize are set on the device it's self, they are not set set on the tacacs server. Level 1? The levels you authorize are set on the device it’s self, they are not set set on the tacacs server.

]]> Comment on Easier Tacacs Configurations with do_auth by Uffe Callesen http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/comment-page-1/#comment-357 Uffe Callesen Mon, 26 Oct 2009 11:54:13 +0000 http://blogs.sackheads.org/tacacsplus/?p=60#comment-357 Excellent guide Dan ! There's one point that seems uncovered however. What if user Homer need access to specific commands not found on Level1 ?? Is there any way to handle that scenario ? Excellent guide Dan ! There’s one point that seems uncovered however. What if user Homer need access to specific commands not found on Level1 ?? Is there any way to handle that scenario ?

]]> Comment on Cisco Wireless Control System by Webs http://tacacs.org/2008/11/04/cisco-wireless-control-system/comment-page-1/#comment-19 Webs Wed, 10 Dec 2008 16:02:24 +0000 http://blogs.sackheads.org/tacacsplus/?p=23#comment-19 Try following <a href="http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml" rel="nofollow">this site from Cisco for getting WCS on TACACS</a>. This is what I did in our enterprise environment and we now have TACACS running on everything. Try following this site from Cisco for getting WCS on TACACS. This is what I did in our enterprise environment and we now have TACACS running on everything.

]]>