[tac_plus] TACACS+ Authorization via LDAP

Asif Iqbal vadud3 at gmail.com
Thu Nov 7 18:24:23 UTC 2013


On Thu, Nov 7, 2013 at 12:46 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com
> wrote:

> How are u generating the tac_plus.conf file for all the users?
> And where is the group bar defined?
>


You start with a basic config file and populate it over time. You can take
a look at tac_plus.conf man page
for start. There are also example command authorization syntaxes for T+
configs in cisco and juniper site.

Cisco and Juniper command authorization are different. So I would recommend
to stick with separate
instances of tac_plus with separate tac_plus.conf for authorization against
cisco and juniper and whatever
other vendor's network devices you are using. If you pick LDAP, you will
have to have different group
names for cisco and juniper since the syntax is different. It would be
messy.

My group bar is in the same tac_plus.conf file and that is where I define
the authorization commands
that are allowed. I have multiple groups and users gets the commands based
on the group they
are assigned.





-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131107/d17814e6/attachment.html>


More information about the tac_plus mailing list