[tac_plus] Re: Tacacs server key password config
John Payne
john at sackheads.org
Thu Dec 17 14:26:02 UTC 2009
On Dec 16, 2009, at 6:18 PM, Osiewicz Brett R wrote:
> When setting up a TACACS+ server to authenticate a Cisco router/switch
> session, the tacacs-server key password entry provides the shared-secret
> key that authenticates the router on the TACACS+ server. This password
> permits AAA communications between the router and the TACACS+ server.
The shared secret encrypts the communication between the TACACS+ server and the router.
Its a mutual authentication in as much as both the router and the TACACS+ need to have the same key.
> The question: is this tacacs-server key entry now the new password used
> to access the router? In other words, instead of entering the enable
> secret username/password combination and having the router/IOS
> authenticate the session, you now enter the password you supplied for
> the tacacs-server key password config and the TACACS server
> authenticates you. If this is true, what username do you use?
This is not true unless you've copied-n-pasted the password to a user stanza.
The user id and password are configured into the tac_plus.cfg. See tac_plus.conf (5)
user Define a user whose username is <name>.
user = <name> {
[ <default service> ]
<user_attr>
<svc>
}
Note: seventeen special usernames exist: "DEFAULT", "$enable$",
and "$enabN$" (where N is a privilege level number, normally in
the range 0-15 on a Cisco). The "$enable$" user is for backward
compatibility with previous versions of tacacs that is queried
for privilege level 15 in addition to "$enab15$".
...
user_attr
XXX:
user = bart {
arap = cleartext "arap password"
chap = cleartext "chap password"
enable = <password_spec>
pap = cleartext "inbound pap password"
opap = cleartext "outbound pap password"
login = <password_spec>
global = cleartext "outbound pap password"
}
global specifies the authentication method for all services.
login applies to normal logins (exec). arap, chap, pap, and
opap (outbound PAP) service passwords may be defined separately.
More information about the tac_plus
mailing list