[tac_plus] silent failure if users are missing
Daniel Rose
drose at nla.gov.au
Mon May 14 05:58:24 UTC 2007
Hi,
I would like to have multiple tacacs servers configured on a device,
with different authentication information. The intent is that if
authentication fails on one server then the device should try the next
server.
It seems that this is not how the protocol works, a rejection is
regarded as final by the device, which is fine.
Others have worked around this:
One might want to have the TACACS client query multiple servers
each with a DIFFERENT UAF - if the given username/password isn't
found on the first, then try the second. This can be done by
defining TACACS_GOOD_NEWS_ONLY - this will make the TACACS server
emit a response only if the username/password is accepted.
http://vmsone.com/~decuslib/vmssig/vmslt98a/tacacs/vmstacacs022_3.readme
Is there a similar option with the shrubbery networks version?
Thanks!
More information about the tac_plus
mailing list