[tac_plus] Re: silent failure if users are missing
john heasley
heas at shrubbery.net
Wed May 16 21:37:37 UTC 2007
Mon, May 14, 2007 at 03:58:24PM +1000, Daniel Rose:
> Hi,
>
> I would like to have multiple tacacs servers configured on a device,
> with different authentication information. The intent is that if
> authentication fails on one server then the device should try the next
> server.
>
> It seems that this is not how the protocol works, a rejection is
> regarded as final by the device, which is fine.
>
> Others have worked around this:
>
> One might want to have the TACACS client query multiple servers
> each with a DIFFERENT UAF - if the given username/password isn't
> found on the first, then try the second. This can be done by
> defining TACACS_GOOD_NEWS_ONLY - this will make the TACACS server
> emit a response only if the username/password is accepted.
>
> http://vmsone.com/~decuslib/vmssig/vmslt98a/tacacs/vmstacacs022_3.readme
>
> Is there a similar option with the shrubbery networks version?
No there is not, and it seems ugly to me. Perhaps a better solution would
be a pre-authentication script that could close the connection with the
client (without responding)?
More information about the tac_plus
mailing list