TACACS+ stuff

TACACS+ stuff http://tacacs.org Casting Light on the Dark Art of TACACS+ Fri, 26 Feb 2010 22:14:15 +0000 http://backend.userland.com/rss092 en do_auth & IOS-XR ios-xr bug: sends blank ip in conf t. tac_plus really should send an "unknown" for this. I'd submit a patch, but I'm no good at C. job == networker, job != programmer. Heasley strongly disagrees with me on this though. Even though I'm obviously right, ... http://tacacs.org/2009/11/09/do_auth-ios-xr/ Easier Tacacs Configurations with do_auth We've gone over how you can make your tacacs configuration really secure but complicated. Let's show how do_auth can actually make configuration easier. It's much easier to edit the do_auth.ini file than the tac_plus.conf file. In fact, we can make adding a default user as easy as ... http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/ Granular Tacacs Control By using an authorization script, we can make tac_plus to do very granular authentication, having different permissions granted to different switches defined by user, source IP and device IP. However, writing/editing a script to change access can be difficult. Hard coded authorization scripts are not very flexible, hence, I decided ... http://tacacs.org/2009/05/08/granular-tacacs-control/ Aruba Airwave Management Platform Yet another new service definition (in a group or user stanza). role should be set to the role definition name you created on the AMP. service = AMP { role = "AMP Administration" } [ad#footer] http://tacacs.org/2008/11/05/aruba-airwave-management-platform/ Cisco Wireless Control System Guy Morrell at the University of Oxford provides this snippet for Cisco WCS service = ciscowlc { role1 = ALL } [ad#footer] http://tacacs.org/2008/11/04/cisco-wireless-control-system/ Managing Cisco ACE (Application Control Engine) modules with TACACS+ This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post. Searching for ACE and TACACS or similar gets confusing because of the RSA ACE server. Good job Cisco Cisco Application Control Engine modules are really separate devices from the “mother” switch, only suckling power and ... http://tacacs.org/2008/10/16/managing-cisco-ace-application-control-engine-modules-with-tacacs/ Managing ScreenOS firewalls with TACACS+ This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post. ScreenOS 6.0+ users may have noticed that you can now configure TACACS+ servers to authenticate admin users. I’ll skip over the details, except to say that as of 6.1.0r3, failover isn’t working to either ... http://tacacs.org/2008/10/16/managing-screenos-firewalls-with-tacacs/