From tmurch at tommurch.com Mon May 13 17:45:57 2013 From: tmurch at tommurch.com (Tom Murch) Date: Mon, 13 May 2013 13:45:57 -0400 Subject: [tac_plus] multiple groups per user In-Reply-To: <0050a22e1dc7757ed77d769a9f3756c4@mail.gmail.com> References: <0050a22e1dc7757ed77d769a9f3756c4@mail.gmail.com> Message-ID: Hi Daniel, This worked very well thank you. Is it possible to have multiple service entries? I am not sure how to get around that as I use both juniper and cisco gear I have an issue with auth using both. Tom On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt wrote: > Checkout do_auth.py. Several people have reported it to be very useful. > I've been meaning to do some more work on it and Jathan had some excellent > ideas. > > tacacs.org > > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch > Sent: Thursday, March 14, 2013 12:43 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] multiple groups per user > > Hello I am trying to get this working. Reading the mailing list I was > under the impression this was fixed. I am trying to have the same users > admin both juniper and hp gear. > > # > # tacacs configuration file > # xxxxx - > # /etc/tac_plus.conf > > # set the key > key = xxxxx > > accounting file = /var/log/tac_plus.acct > > #group accounts > > group = admins { > ## cli service for junipers > service = junos-exec > { > local-user-name = admins > allow-commands = "all" > allow-configuration = "all" > deny-commands = "" > deny-configuration = "" > } > } > > group = admins2 { > default service = permit > service = exec { > priv-lvl = 15 > } > } > > # users accounts > user = tom { > > member = admins > login = des "xxxxx" > enable = cleartext "xxxxx" > name = "Thomas Murch" > } > > user = tomhp { > member = admins2 > login = des "xxxxxx" > enable = cleartext "xxxx" > name = "Thomas Murch" > } > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > /attachment.html> > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Mon May 13 20:57:12 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Mon, 13 May 2013 14:57:12 -0600 Subject: [tac_plus] multiple groups per user In-Reply-To: References: <0050a22e1dc7757ed77d769a9f3756c4@mail.gmail.com> Message-ID: Yeah, Cisco does NOT like to get pairs it doesn't understand. If your Juniper and Cisco networks are on different IP spaces, then it should be possible by creating a group to match them by IP (device_permit/deny). If not, well.... I don't use a lot of Juniper - I think the tac pairs they send are same - you can un-comment the part that says "for item in av_pairs:" and take a look at the initial pairs they send. If they are, in fact, different than Juniper, I can kluge something to tell the difference like I did with Nexus. On a side note, I added '/' notation via netaddr to do_auth if anybody wants to try it out. Makes a lot more sense than the regular expressions, but requires an egg. On Mon, May 13, 2013 at 11:45 AM, Tom Murch wrote: > Hi Daniel, > > This worked very well thank you. Is it possible to have multiple service > entries? I am not sure how to get around that as I use both juniper and > cisco gear I have an issue with auth using both. > > Tom > > > On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt wrote: > >> Checkout do_auth.py. Several people have reported it to be very useful. >> I've been meaning to do some more work on it and Jathan had some excellent >> ideas. >> >> tacacs.org >> >> -----Original Message----- >> From: tac_plus-bounces at shrubbery.net >> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch >> Sent: Thursday, March 14, 2013 12:43 PM >> To: tac_plus at shrubbery.net >> Subject: [tac_plus] multiple groups per user >> >> Hello I am trying to get this working. Reading the mailing list I was >> under the impression this was fixed. I am trying to have the same users >> admin both juniper and hp gear. >> >> # >> # tacacs configuration file >> # xxxxx - >> # /etc/tac_plus.conf >> >> # set the key >> key = xxxxx >> >> accounting file = /var/log/tac_plus.acct >> >> #group accounts >> >> group = admins { >> ## cli service for junipers >> service = junos-exec >> { >> local-user-name = admins >> allow-commands = "all" >> allow-configuration = "all" >> deny-commands = "" >> deny-configuration = "" >> } >> } >> >> group = admins2 { >> default service = permit >> service = exec { >> priv-lvl = 15 >> } >> } >> >> # users accounts >> user = tom { >> >> member = admins >> login = des "xxxxx" >> enable = cleartext "xxxxx" >> name = "Thomas Murch" >> } >> >> user = tomhp { >> member = admins2 >> login = des "xxxxxx" >> enable = cleartext "xxxx" >> name = "Thomas Murch" >> } >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13 >> /attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> >> > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue May 14 18:42:58 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 14 May 2013 12:42:58 -0600 Subject: [tac_plus] multiple groups per user In-Reply-To: References: <0050a22e1dc7757ed77d769a9f3756c4@mail.gmail.com> Message-ID: Ask on list - probably somebody has used do_auth with Juniper On Tue, May 14, 2013 at 11:15 AM, Tom Murch wrote: > Hi Daniel, > > any chance I could get an example config. I am not having much luck. > > Tom > > > On Mon, May 13, 2013 at 6:08 PM, Daniel Schmidt wrote: > >> junos-exec - you can send that in do_auth pairs >> >> >> On Mon, May 13, 2013 at 3:21 PM, Tom Murch wrote: >> >>> How do i pass the service = for two different things? In the >>> tac-plus.conf or I. Think do-aurh.ini >>> On May 13, 2013 4:57 PM, "Daniel Schmidt" >>> wrote: >>> >>>> Yeah, Cisco does NOT like to get pairs it doesn't understand. If your >>>> Juniper and Cisco networks are on different IP spaces, then it should be >>>> possible by creating a group to match them by IP (device_permit/deny). If >>>> not, well.... >>>> >>>> I don't use a lot of Juniper - I think the tac pairs they send are same >>>> - you can un-comment the part that says "for item in av_pairs:" and take a >>>> look at the initial pairs they send. If they are, in fact, different than >>>> Juniper, I can kluge something to tell the difference like I did with Nexus. >>>> >>>> On a side note, I added '/' notation via netaddr to do_auth if anybody >>>> wants to try it out. Makes a lot more sense than the regular expressions, >>>> but requires an egg. >>>> >>>> >>>> On Mon, May 13, 2013 at 11:45 AM, Tom Murch wrote: >>>> >>>>> Hi Daniel, >>>>> >>>>> This worked very well thank you. Is it possible to have multiple >>>>> service entries? I am not sure how to get around that as I use both juniper >>>>> and cisco gear I have an issue with auth using both. >>>>> >>>>> Tom >>>>> >>>>> >>>>> On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt < >>>>> daniel.schmidt at wyo.gov> wrote: >>>>> >>>>>> Checkout do_auth.py. Several people have reported it to be very >>>>>> useful. >>>>>> I've been meaning to do some more work on it and Jathan had some >>>>>> excellent >>>>>> ideas. >>>>>> >>>>>> tacacs.org >>>>>> >>>>>> -----Original Message----- >>>>>> From: tac_plus-bounces at shrubbery.net >>>>>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch >>>>>> Sent: Thursday, March 14, 2013 12:43 PM >>>>>> To: tac_plus at shrubbery.net >>>>>> Subject: [tac_plus] multiple groups per user >>>>>> >>>>>> Hello I am trying to get this working. Reading the mailing list I was >>>>>> under the impression this was fixed. I am trying to have the same >>>>>> users >>>>>> admin both juniper and hp gear. >>>>>> >>>>>> # >>>>>> # tacacs configuration file >>>>>> # xxxxx - >>>>>> # /etc/tac_plus.conf >>>>>> >>>>>> # set the key >>>>>> key = xxxxx >>>>>> >>>>>> accounting file = /var/log/tac_plus.acct >>>>>> >>>>>> #group accounts >>>>>> >>>>>> group = admins { >>>>>> ## cli service for junipers >>>>>> service = junos-exec >>>>>> { >>>>>> local-user-name = admins >>>>>> allow-commands = "all" >>>>>> allow-configuration = "all" >>>>>> deny-commands = "" >>>>>> deny-configuration = "" >>>>>> } >>>>>> } >>>>>> >>>>>> group = admins2 { >>>>>> default service = permit >>>>>> service = exec { >>>>>> priv-lvl = 15 >>>>>> } >>>>>> } >>>>>> >>>>>> # users accounts >>>>>> user = tom { >>>>>> >>>>>> member = admins >>>>>> login = des "xxxxx" >>>>>> enable = cleartext "xxxxx" >>>>>> name = "Thomas Murch" >>>>>> } >>>>>> >>>>>> user = tomhp { >>>>>> member = admins2 >>>>>> login = des "xxxxxx" >>>>>> enable = cleartext "xxxx" >>>>>> name = "Thomas Murch" >>>>>> } >>>>>> -------------- next part -------------- >>>>>> An HTML attachment was scrubbed... >>>>>> URL: >>>>>> < >>>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13 >>>>>> /attachment.html >>>>>> > >>>>>> _______________________________________________ >>>>>> tac_plus mailing list >>>>>> tac_plus at shrubbery.net >>>>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>>>>> >>>>>> E-Mail to and from me, in connection with the transaction >>>>>> of public business, is subject to the Wyoming Public Records >>>>>> Act and may be disclosed to third parties. >>>>>> >>>>>> >>>>> >>>> E-Mail to and from me, in connection with the transaction >>>> of public business, is subject to the Wyoming Public Records >>>> Act and may be disclosed to third parties. >>>> >>>> >>>> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> >> >> > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Tue May 14 19:03:36 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 14 May 2013 21:03:36 +0200 Subject: [tac_plus] multiple groups per user In-Reply-To: References: <0050a22e1dc7757ed77d769a9f3756c4@mail.gmail.com> Message-ID: <51928A88.1060904@gmail.com> Tom, I haven't gotten around to getting my Junipers to work with tac-plus yet, but here's a snippet you might find useful. In my tac_plus.conf: service = exec { optional task = "r:interface,r:ipv4,r:bgp,r:ospf,r:route-policy,r:static,r:logging" idletime = 30 timeout = 720 } service = junos-exec { local-user-name = level3 } IOW, IOS and Juniper can at least co-exist on some level :-) I've long since forgotten what that junos-exec stanza is for or how it works, but now that I look at it again, I'd say our Junipers do on-device authorization, much like what you have to do to a Nexus to get that beast to work. Hope this helps, or at least gives you a hint :-) On 14/05/2013 20:42, Daniel Schmidt wrote: > Ask on list - probably somebody has used do_auth with Juniper > > > On Tue, May 14, 2013 at 11:15 AM, Tom Murch wrote: > >> Hi Daniel, >> >> any chance I could get an example config. I am not having much luck. >> >> Tom >> >> >> On Mon, May 13, 2013 at 6:08 PM, Daniel Schmidt wrote: >> >>> junos-exec - you can send that in do_auth pairs >>> >>> >>> On Mon, May 13, 2013 at 3:21 PM, Tom Murch wrote: >>> >>>> How do i pass the service = for two different things? In the >>>> tac-plus.conf or I. Think do-aurh.ini >>>> On May 13, 2013 4:57 PM, "Daniel Schmidt" >>>> wrote: >>>> >>>>> Yeah, Cisco does NOT like to get pairs it doesn't understand. If your >>>>> Juniper and Cisco networks are on different IP spaces, then it should be >>>>> possible by creating a group to match them by IP (device_permit/deny). If >>>>> not, well.... >>>>> >>>>> I don't use a lot of Juniper - I think the tac pairs they send are same >>>>> - you can un-comment the part that says "for item in av_pairs:" and take a >>>>> look at the initial pairs they send. If they are, in fact, different than >>>>> Juniper, I can kluge something to tell the difference like I did with Nexus. >>>>> >>>>> On a side note, I added '/' notation via netaddr to do_auth if anybody >>>>> wants to try it out. Makes a lot more sense than the regular expressions, >>>>> but requires an egg. >>>>> >>>>> >>>>> On Mon, May 13, 2013 at 11:45 AM, Tom Murch wrote: >>>>> >>>>>> Hi Daniel, >>>>>> >>>>>> This worked very well thank you. Is it possible to have multiple >>>>>> service entries? I am not sure how to get around that as I use both juniper >>>>>> and cisco gear I have an issue with auth using both. >>>>>> >>>>>> Tom >>>>>> >>>>>> >>>>>> On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt < >>>>>> daniel.schmidt at wyo.gov> wrote: >>>>>> >>>>>>> Checkout do_auth.py. Several people have reported it to be very >>>>>>> useful. >>>>>>> I've been meaning to do some more work on it and Jathan had some >>>>>>> excellent >>>>>>> ideas. >>>>>>> >>>>>>> tacacs.org >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: tac_plus-bounces at shrubbery.net >>>>>>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch >>>>>>> Sent: Thursday, March 14, 2013 12:43 PM >>>>>>> To: tac_plus at shrubbery.net >>>>>>> Subject: [tac_plus] multiple groups per user >>>>>>> >>>>>>> Hello I am trying to get this working. Reading the mailing list I was >>>>>>> under the impression this was fixed. I am trying to have the same >>>>>>> users >>>>>>> admin both juniper and hp gear. >>>>>>> >>>>>>> # >>>>>>> # tacacs configuration file >>>>>>> # xxxxx - >>>>>>> # /etc/tac_plus.conf >>>>>>> >>>>>>> # set the key >>>>>>> key = xxxxx >>>>>>> >>>>>>> accounting file = /var/log/tac_plus.acct >>>>>>> >>>>>>> #group accounts >>>>>>> >>>>>>> group = admins { >>>>>>> ## cli service for junipers >>>>>>> service = junos-exec >>>>>>> { >>>>>>> local-user-name = admins >>>>>>> allow-commands = "all" >>>>>>> allow-configuration = "all" >>>>>>> deny-commands = "" >>>>>>> deny-configuration = "" >>>>>>> } >>>>>>> } >>>>>>> >>>>>>> group = admins2 { >>>>>>> default service = permit >>>>>>> service = exec { >>>>>>> priv-lvl = 15 >>>>>>> } >>>>>>> } >>>>>>> >>>>>>> # users accounts >>>>>>> user = tom { >>>>>>> >>>>>>> member = admins >>>>>>> login = des "xxxxx" >>>>>>> enable = cleartext "xxxxx" >>>>>>> name = "Thomas Murch" >>>>>>> } >>>>>>> >>>>>>> user = tomhp { >>>>>>> member = admins2 >>>>>>> login = des "xxxxxx" >>>>>>> enable = cleartext "xxxx" >>>>>>> name = "Thomas Murch" >>>>>>> } >>>>>>> -------------- next part -------------- >>>>>>> An HTML attachment was scrubbed... >>>>>>> URL: >>>>>>> < >>>>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13 >>>>>>> /attachment.html >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> tac_plus mailing list >>>>>>> tac_plus at shrubbery.net >>>>>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>>>>>> >>>>>>> E-Mail to and from me, in connection with the transaction >>>>>>> of public business, is subject to the Wyoming Public Records >>>>>>> Act and may be disclosed to third parties. >>>>>>> >>>>>>> >>>>>> >>>>> E-Mail to and from me, in connection with the transaction >>>>> of public business, is subject to the Wyoming Public Records >>>>> Act and may be disclosed to third parties. >>>>> >>>>> >>>>> >>> E-Mail to and from me, in connection with the transaction >>> of public business, is subject to the Wyoming Public Records >>> Act and may be disclosed to third parties. >>> >>> >>> >> > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Alan McKinnon alan.mckinnon at gmail.com From tmurch at tommurch.com Tue May 14 20:21:57 2013 From: tmurch at tommurch.com (Tom Murch) Date: Tue, 14 May 2013 16:21:57 -0400 Subject: [tac_plus] multiple groups per user In-Reply-To: References: <0050a22e1dc7757ed77d769a9f3756c4@mail.gmail.com> Message-ID: does anyone have an example of av_pairs? I have arista, juniper and hp gear I want to auth with. I would really like to just have it pull from /etc/passwd and use multiple groups per user so I dont need to have a huge config for only the 5 people I work with. Any help or example configs would be amazing. Thanks to everyone for the help. On Mon, May 13, 2013 at 4:57 PM, Daniel Schmidt wrote: > Yeah, Cisco does NOT like to get pairs it doesn't understand. If your > Juniper and Cisco networks are on different IP spaces, then it should be > possible by creating a group to match them by IP (device_permit/deny). If > not, well.... > > I don't use a lot of Juniper - I think the tac pairs they send are same - > you can un-comment the part that says "for item in av_pairs:" and take a > look at the initial pairs they send. If they are, in fact, different than > Juniper, I can kluge something to tell the difference like I did with Nexus. > > On a side note, I added '/' notation via netaddr to do_auth if anybody > wants to try it out. Makes a lot more sense than the regular expressions, > but requires an egg. > > > On Mon, May 13, 2013 at 11:45 AM, Tom Murch wrote: > >> Hi Daniel, >> >> This worked very well thank you. Is it possible to have multiple service >> entries? I am not sure how to get around that as I use both juniper and >> cisco gear I have an issue with auth using both. >> >> Tom >> >> >> On Thu, Mar 14, 2013 at 4:29 PM, Daniel Schmidt wrote: >> >>> Checkout do_auth.py. Several people have reported it to be very useful. >>> I've been meaning to do some more work on it and Jathan had some >>> excellent >>> ideas. >>> >>> tacacs.org >>> >>> -----Original Message----- >>> From: tac_plus-bounces at shrubbery.net >>> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Tom Murch >>> Sent: Thursday, March 14, 2013 12:43 PM >>> To: tac_plus at shrubbery.net >>> Subject: [tac_plus] multiple groups per user >>> >>> Hello I am trying to get this working. Reading the mailing list I was >>> under the impression this was fixed. I am trying to have the same users >>> admin both juniper and hp gear. >>> >>> # >>> # tacacs configuration file >>> # xxxxx - >>> # /etc/tac_plus.conf >>> >>> # set the key >>> key = xxxxx >>> >>> accounting file = /var/log/tac_plus.acct >>> >>> #group accounts >>> >>> group = admins { >>> ## cli service for junipers >>> service = junos-exec >>> { >>> local-user-name = admins >>> allow-commands = "all" >>> allow-configuration = "all" >>> deny-commands = "" >>> deny-configuration = "" >>> } >>> } >>> >>> group = admins2 { >>> default service = permit >>> service = exec { >>> priv-lvl = 15 >>> } >>> } >>> >>> # users accounts >>> user = tom { >>> >>> member = admins >>> login = des "xxxxx" >>> enable = cleartext "xxxxx" >>> name = "Thomas Murch" >>> } >>> >>> user = tomhp { >>> member = admins2 >>> login = des "xxxxxx" >>> enable = cleartext "xxxx" >>> name = "Thomas Murch" >>> } >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130314/2e757a13 >>> /attachment.html >>> > >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> >>> E-Mail to and from me, in connection with the transaction >>> of public business, is subject to the Wyoming Public Records >>> Act and may be disclosed to third parties. >>> >>> >> > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.bordin at cetrel.lu Thu May 30 07:22:19 2013 From: patrick.bordin at cetrel.lu (BORDIN Patrick) Date: Thu, 30 May 2013 09:22:19 +0200 Subject: [tac_plus] Host specific Key Message-ID: <2CE0A7B82A4E854ABC0DA2512597FC62C2DE1967AD@EXCHANGE.cetrel.lu> Hello, In my office, we use Tacacs F4.0.4.14 Shrubbery, with some of Cisco routers : it works fine. Now, we use BigIP F5 appliance, and we have a problem for the shared key. We have this problem : http://support.f5.com/kb/en-us/solutions/public/12000/300/sol12304.html We use the character "#" in the shared key. Question : with this Tacas version, is it possible to define a additionnal key in the tac_plus.conf for a host specific , to avoid changing keys in my routers ? Thanks, Regards, Email : patrick.bordin at cetrel.lu ______________________________________________ This message (including any attachments) contains confidential information intended exclusively for a specific individual purpose, and is protected by law. If you are not the intended recipient or if this email was sent to you by mistake, we hereby request that you destroy this message and that you neither use the contents nor disclose them in any manner to third parties, because the message may contain confidential information, which is protected by professional secrecy and because any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. Internet e-mail is subject to risks and Cetrel S.A. denies any responsability for damages resulting from the use of Internet e-mail. ______________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu May 30 16:49:01 2013 From: heas at shrubbery.net (heasley) Date: Thu, 30 May 2013 16:49:01 +0000 Subject: [tac_plus] Host specific Key In-Reply-To: <2CE0A7B82A4E854ABC0DA2512597FC62C2DE1967AD@EXCHANGE.cetrel.lu> References: <2CE0A7B82A4E854ABC0DA2512597FC62C2DE1967AD@EXCHANGE.cetrel.lu> Message-ID: <20130530164901.GB38437@shrubbery.net> Thu, May 30, 2013 at 09:22:19AM +0200, BORDIN Patrick: > Hello, > > In my office, we use Tacacs F4.0.4.14 Shrubbery, with some of Cisco routers : it works fine. > Now, we use BigIP F5 appliance, and we have a problem for the shared key. > We have this problem : > > http://support.f5.com/kb/en-us/solutions/public/12000/300/sol12304.html > > We use the character "#" in the shared key. > > Question : with this Tacas version, is it possible to define a additionnal key in the tac_plus.conf for a host specific , to avoid changing keys in my routers ? tac_plus.conf(5): host The host clause allows the configuration values noted below to be set for the client name by IP address. If tac_plus is started with the -L option, the name can also be name as resolved from the address with the gethostbyaddr(3) system call, which may be the FQDN (Fully Qualified Domain Name) if DNS is used. It is recommended that the IP address be used, since the resolver can be slow to timeout when network faults exist. host = { key = prompt = enable = } key specifics the packet encryption for this host. prompt specifies the username prompt that will be presented to a user.