[tac_plus] multiple patches?

Alan McKinnon alan.mckinnon at gmail.com
Fri Jul 27 20:17:26 UTC 2012 

On Thu, 26 Jul 2012 22:23:48 -0600
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:

> Nexus does things a bit different.  I wrote some on tacacs.org.  You
> can use authorization OR the new roles - your choice.

Based only on my own experience, I recommend one go with roles defined
on the Nexus and give the logged in user that role by sending back AV
pairs.

We tried hard to define permit/deny commands for our Nexus kit but
eventually NetOps gave up and did it locally. Maybe things have changed
since we did this 18 months ago but we simply couldn't get it to work
nicely in a mixed Cisco/Nexus environment



> 
> On Wed, Jul 25, 2012 at 11:32 PM, Alan McKinnon
> <alan.mckinnon at gmail.com>wrote:
> 
> > On Wed, 25 Jul 2012 14:25:33 +0000
> > Joe Moore <joe.moore at holidaycompanies.com> wrote:
> >
> > > I have been running tac_plus 4.0.4.19 with the auth-fail-lock
> > > patch as required by our security assessor.
> > >
> > > I recently added some Nexus 5500 series switches to the network so
> > > now I have to deal with PAP authentication requests. Keeping plain
> > > text passwords in the tac_plus.conf file is not an option. I'm
> > > thinking about using the PAP/PAM patch for that.
> > >
> > > Can I apply both patches to the source code or do I have to choose
> > > one or the other?
> >
> > The PAP passwords do not have to be plain-text, you can put the
> > hashes in tac_plus.conf just like for regular login and enable.
> >
> > Simply copy the "login" line and do an s/login/pap/
> >
> > We have a substantial Nexus infrastructure here and that works just
> > fine for us. No other authn changes were required. [As for authz -
> > now that's a whole different story, that one took some work]
> >
> >
> > --
> > Alan McKinnon
> > alan.mckinnon at gmail.com
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> >
> 
> E-Mail to and from me, in connection with the transaction 
> of public business, is subject to the Wyoming Public Records 
> Act and may be disclosed to third parties.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120726/271d017d/attachment.html>
> _______________________________________________ tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus



-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list