[tac_plus] Re: Suggestion/feature-idea/whatever

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Sat Nov 22 18:17:44 UTC 2008


> if an admin wants a user to be able to modify 'ip access-list extended
> bob' only to block based on source IP, but not modify any other access
> list, nor add/remove other filters in bob? It would require
> authorization and accounting to keep track of sessions and context,
> but not impossible.

This would not be practical.

Cisco routers can connect more than TACACS+ server. So if one of
them is unreachable or busy an other server can authorize/authenticate well.

Actually we use two AAA servers. According to its logs
the second one is not idle. It has also jobs even if the first server
is always reachable.
So it can occur easily that two consecutive authorization request are
served by different TACACS.

Gabor


More information about the tac_plus mailing list