[tac_plus] hostname resolution; include files; groups; start/stop; same keys for RADIUS and TACACS+

Morty morty+tac_plus at frakir.org
Wed May 25 01:24:37 UTC 2011 

I'm testing tacacs+-F4.0.4.19 under Solaris.

Questions:

(1) I'd like to build host configs based on hostnames.  The hostnames
    are in /etc/hosts rather than DNS, so DNS lookup latency should
    not be an issue.  Even with the -L option, though, this isn't
    working correctly.  IP works fine, i.e.:

    host = $IP {
       key = "mykey"
    }

    But if I use $hostname instead, I get log entries like so:

    Wed May 25 00:52:13 2011 [15897]: Error tacacs-test : Invalid AUTHEN/START packet (check keys)

    The config with hostname is:

    host = "tacacs-test" {
        key = "mykey"
    }

(2) Is there a way to do includes in the config file?  I'd like to
    autogenerate various components of the tacacs+ config file, such
    as host sections and user sections.  Seems like the cleanest way
    to do that is to have a master config file that includes
    components as needed.  Not really too critical, though; I could
    just cat them together into one big file.

(3) Is there a way to utilize configurations based on Unix groups?  I
    already have existing Unix groups for "engineer" and "operator".
    I want to be able to do something like this:

    group = engineer {
            LOGIN=PAM
		  service = exec {
				priv-lvl = 15
		  }
    }

    group = operator {
            LOGIN=PAM
		  service = exec {
				priv-lvl = 2
		  }
    }

    This doesn't work as-is unless I also build a user stanza for each
    use, like so:

    user = morty {
		  member=engineer
    }
    user = jack {
		  member=operator
    }
    ...

    Is there a way to get the groups to utilize Unix group members?
    If not, I'll just write a script to autogenerate user entries as
    needed.

(4) Is there a pre-written start/stop/reload/graceful script for
    tac_plus that I'm missing?  If not, I'd be happy to contrib one.

(5) We're currently using RADIUS.  We chose RADIUS back in the day
    because it was the only AAA protocol spoken by all our devices.
    We now have some new devices that only talk TACACS+, not RADIUS.
    So I'm planning to stand up a TACACS+ server in parallel.  I'm
    planning to use the RADIUS clients file as a master and run
    scripts to regenerate the TACACS+ hosts config as needed, using
    the same key as for RADIUS.  Then the network folks can configure
    their devices to use either RADIUS or TACACS+ as needed.  I'm sure
    you guys understand the protocols better than I do.  Is it safe to
    use the same keys for both RADIUS and TACACS+, or should I
    generate separate keys for TACACS+?

TIA.

- Morty

More information about the tac_plus mailing list