[tac_plus] multiple patches?

Joe Moore joe.moore at holidaycompanies.com
Fri Jul 27 15:59:48 UTC 2012


Thanks for the reply Daniel!

I'm hoping to avoid dealing with authorization on the Nexus stuff. Only two people have access to core switches and routers (which includes the Nexus stuff), and they need full privileges. I am also hoping to avoid making any tac_plus changes that will affect the way the aaa works with my IOS devices.

			...jgm





-----Original Message-----
From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov] 
Sent: Thursday, July 26, 2012 11:24 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] multiple patches?

Nexus does things a bit different.  I wrote some on tacacs.org.  You can use authorization OR the new roles - your choice.

On Wed, Jul 25, 2012 at 11:32 PM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:

> On Wed, 25 Jul 2012 14:25:33 +0000
> Joe Moore <joe.moore at holidaycompanies.com> wrote:
>
> > I have been running tac_plus 4.0.4.19 with the auth-fail-lock patch 
> > as required by our security assessor.
> >
> > I recently added some Nexus 5500 series switches to the network so 
> > now I have to deal with PAP authentication requests. Keeping plain 
> > text passwords in the tac_plus.conf file is not an option. I'm 
> > thinking about using the PAP/PAM patch for that.
> >
> > Can I apply both patches to the source code or do I have to choose 
> > one or the other?
>
> The PAP passwords do not have to be plain-text, you can put the hashes 
> in tac_plus.conf just like for regular login and enable.
>
> Simply copy the "login" line and do an s/login/pap/
>
> We have a substantial Nexus infrastructure here and that works just 
> fine for us. No other authn changes were required. [As for authz - now 
> that's a whole different story, that one took some work]
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>

E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120726/271d017d/attachment.html>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list