[tac_plus] Re: Tacacs server key password config

John Payne john at sackheads.org
Thu Dec 17 14:26:02 UTC 2009 

On Dec 16, 2009, at 6:18 PM, Osiewicz Brett R wrote:

> When setting up a TACACS+ server to authenticate a Cisco router/switch
> session, the tacacs-server key password entry provides the shared-secret
> key that authenticates the router on the TACACS+ server. This password
> permits AAA communications between the router and the TACACS+ server. 

The shared secret encrypts the communication between the TACACS+ server and the router.
Its a mutual authentication in as much as both the router and the TACACS+ need to have the same key.

> The question: is this tacacs-server key entry now the new password used
> to access the router?  In other words, instead of entering the enable
> secret username/password combination and having the router/IOS
> authenticate the session, you now enter the password you supplied for
> the tacacs-server key password config and the TACACS server
> authenticates you. If this is true, what username do you use?

This is not true unless you've copied-n-pasted the password to a user stanza.

The user id and password are configured into the tac_plus.cfg.  See tac_plus.conf (5)

       user   Define a user whose username is <name>.

                  user = <name> {
                      [ <default service> ]
                      <user_attr>
                      <svc>
                  }

              Note:  seventeen special usernames exist: "DEFAULT", "$enable$",
              and "$enabN$" (where N is a privilege level number, normally  in
              the range 0-15 on a Cisco).  The "$enable$" user is for backward
              compatibility with previous versions of tacacs that  is  queried
              for privilege level 15 in addition to "$enab15$".
...
       user_attr
                   XXX:

                  user = bart {
                      arap = cleartext "arap password"
                      chap = cleartext "chap password"
                      enable = <password_spec>
                      pap  = cleartext "inbound pap password"
                      opap = cleartext "outbound pap password"
                      login = <password_spec>
                      global = cleartext "outbound pap password"
                  }

              global specifies the authentication  method  for  all  services.
              login  applies  to  normal  logins (exec).  arap, chap, pap, and
              opap (outbound PAP) service passwords may be defined separately.

More information about the tac_plus mailing list