[tac_plus] multiple patches?

Daniel Schmidt daniel.schmidt at wyo.gov
Fri Jul 27 20:24:44 UTC 2012


Authorization works - I've done it in do_auth.  But, the roles work so
well it's not worth the bother.

-----Original Message-----
From: Alan McKinnon [mailto:alan.mckinnon at gmail.com]
Sent: Friday, July 27, 2012 2:17 PM
To: Daniel Schmidt
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] multiple patches?

On Thu, 26 Jul 2012 22:23:48 -0600
Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:

> Nexus does things a bit different.  I wrote some on tacacs.org.  You
> can use authorization OR the new roles - your choice.

Based only on my own experience, I recommend one go with roles defined on
the Nexus and give the logged in user that role by sending back AV pairs.

We tried hard to define permit/deny commands for our Nexus kit but
eventually NetOps gave up and did it locally. Maybe things have changed
since we did this 18 months ago but we simply couldn't get it to work
nicely in a mixed Cisco/Nexus environment



>
> On Wed, Jul 25, 2012 at 11:32 PM, Alan McKinnon
> <alan.mckinnon at gmail.com>wrote:
>
> > On Wed, 25 Jul 2012 14:25:33 +0000
> > Joe Moore <joe.moore at holidaycompanies.com> wrote:
> >
> > > I have been running tac_plus 4.0.4.19 with the auth-fail-lock
> > > patch as required by our security assessor.
> > >
> > > I recently added some Nexus 5500 series switches to the network so
> > > now I have to deal with PAP authentication requests. Keeping plain
> > > text passwords in the tac_plus.conf file is not an option. I'm
> > > thinking about using the PAP/PAM patch for that.
> > >
> > > Can I apply both patches to the source code or do I have to choose
> > > one or the other?
> >
> > The PAP passwords do not have to be plain-text, you can put the
> > hashes in tac_plus.conf just like for regular login and enable.
> >
> > Simply copy the "login" line and do an s/login/pap/
> >
> > We have a substantial Nexus infrastructure here and that works just
> > fine for us. No other authn changes were required. [As for authz -
> > now that's a whole different story, that one took some work]
> >
> >
> > --
> > Alan McKinnon
> > alan.mckinnon at gmail.com
> >
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> >
>
> E-Mail to and from me, in connection with the transaction of public
> business, is subject to the Wyoming Public Records Act and may be
> disclosed to third parties.
> -------------- next part -------------- An HTML attachment was
> scrubbed...
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20120726/271d
> 017d/attachment.html> _______________________________________________
> tac_plus mailing list tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus



--
Alan McKinnon
alan.mckinnon at gmail.com
E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.



More information about the tac_plus mailing list