[tac_plus] Managing devices with and without tacacs+ support
Alan McKinnon
alan.mckinnon at gmail.com
Tue Jun 18 12:41:47 UTC 2013
On 18/06/2013 13:31, Sachin.6.Gupta wrote:
> There are some Cisco devices (Support TACACS+) and some BelAir devices (support only RADIUS. No TACACS support). Hence the issue.
>
> Is it possible to run both RADIUS and TACACS+ on the same server?
Yes. They do not interfere, they run on different ports and one is tcp
the other udp.
How will the user configuration be handled?
I think you are missing information on how AAA services work. Tacacs and
Radius have nothing to do with each other, they are different programs
each with it's own configuration and how you get the user data into them
is up to you.
tac_plus typically uses a flat file configuration or can hook into the
Unix PAM layer. Other methods exist too.
FreeRadius supports many backend systems too, all documented on the
site's webpage, including flat files, databases, ldap and more.
Perhaps you should clearly define what it is that you want to achieve
and how you intend to do it. This is not a case where the software
dictates to you how things must be done - instead you tell the software
how it will work. This of course means you need to make decisions.
>
> Regards
> Sachin
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Tuesday, June 18, 2013 12:53 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Managing devices with and without tacacs+ support
>
> On 18/06/2013 09:15, Sachin.6.Gupta wrote:
>> Hi,
>>
>> We are in process of implementing TACACS+ for all the devices in our lab.
>> However, we have few critical devices also which don't have support for TACACS+.
>>
>> We are looking for a central solution where all the devices be AAA compliant, but with existence of these devices and with no option of replacing these, how do we implement AAA for them devices?
>>
>> Please suggest how we can provide a generic solution which caters to these devices also.
>
>
> There is no "generic solution", the only thing you have is whatever protocols and systems your devices support. If you have for example something that can only use ldap for authorization, then you have no choice - you must deploy an ldap server. Same with radius, diameter, AD etc
>
> You'll get better advice if you list what you have and what they support.
>
> I find that running tacacs and radius on the same server covers the majority of AAA needs
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
> ============================================================================================================================Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
>
--
Alan McKinnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list