[tac_plus] Re: after authorization
Ian Batterbee
ibatterb at gmail.com
Fri Oct 31 19:34:00 UTC 2008
Sorry, I seem to have missed out a few words there - to clarify, the PIX
is using tacacs to verify users who are terminating a VPN on it.. in
other words, this is not for authorizing CLI commands, but rather to
validate VPN user credentials. As a side issue, it also validates exec
users trying to connect, but that's not what I'm trying to deal with at
the moment.
In addition to validating the user's name and password, I need tac_plus
to pass back an AV pair that tells the PIX which group policy to apply
to the conneting VPN user. I believe this can be done with radius or
cisco ACS by returning a value for "IETF-Radius-Class" - and from what
I can see of the tacacs+ protocol, it should be able to do the same
thing. The issue is how do I tell tac_plus to return that AV pair.
Lance Vermilion wrote, On Sat 01/11/2008 03:52:
> Ian,
>
> What do you have set for your AAA statements on your PIX? What
> commands are you executing on your PIX that you think require
> authorization?
>
> On Thu, Oct 30, 2008 at 11:48 PM, Ian Batterbee <ibatterb at gmail.com
> <mailto:ibatterb at gmail.com>> wrote:
>
>
> > the client has to use authorization. also see the -d/debug options.
> >
>
> You mean as opposed to authentication ? The client in this case is a
> PIX that's using tacacs to verify the user's credentials.
>
>
More information about the tac_plus
mailing list