[tac_plus] Re: after authorization
john heasley
heas at shrubbery.net
Sun Nov 2 07:53:08 UTC 2008
Sat, Nov 01, 2008 at 08:34:00AM +1300, Ian Batterbee:
> Sorry, I seem to have missed out a few words there - to clarify, the PIX
> is using tacacs to verify users who are terminating a VPN on it.. in
> other words, this is not for authorizing CLI commands, but rather to
> validate VPN user credentials. As a side issue, it also validates exec
> users trying to connect, but that's not what I'm trying to deal with at
> the moment.
>
> In addition to validating the user's name and password, I need tac_plus
> to pass back an AV pair that tells the PIX which group policy to apply
> to the conneting VPN user. I believe this can be done with radius or
> cisco ACS by returning a value for "IETF-Radius-Class" - and from what
> I can see of the tacacs+ protocol, it should be able to do the same
> thing. The issue is how do I tell tac_plus to return that AV pair.
you can ignore the suggestions or try them. try this or see/try svc_auth
and attr_value_pair in tac_plus.conf.
>
>
> Lance Vermilion wrote, On Sat 01/11/2008 03:52:
> >Ian,
> >
> >What do you have set for your AAA statements on your PIX? What
> >commands are you executing on your PIX that you think require
> >authorization?
> >
> >On Thu, Oct 30, 2008 at 11:48 PM, Ian Batterbee <ibatterb at gmail.com
> ><mailto:ibatterb at gmail.com>> wrote:
> >
> >
> > > the client has to use authorization. also see the -d/debug options.
> > >
> >
> > You mean as opposed to authentication ? The client in this case is a
> > PIX that's using tacacs to verify the user's credentials.
> >
> >
More information about the tac_plus
mailing list