[tac_plus] Create TACACS server hierarchy?

Alan McKinnon alan.mckinnon at gmail.com
Thu Mar 6 23:42:20 UTC 2014


On 07/03/2014 01:05, Aaron Wasserott wrote:
> Is there a way to create a TACACS server hierarchy? For example, point a network device at tacacs server B, if the user does not exist there, then forward request to tacacs server A to complete? Ideally with server B handling all of the communication, such that a network device only needs to be configured for server B for AAA.
> 
> This is for a lab situation, where I would like people who don't normally have network device access to be able to manage their own devices. I would point all my lab network devices to a lab tacacs server, and if they were not granted additional permissions in the lab, it would fail-back to the level of auth they would normally have (ie, none).
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 
> 


Sounds like you want TAC_PLUS_AUTHEN_STATUS_FOLLOW which is part of the
Tacacs protocol but to the best of my knowledge not supported in
tac_plus (at least, none of the docs mention it).

Search for this file in Internet drafts with your favourite search engine:

draft-grant-tacacs-02.txt January, 1997

It's mentioned in section "Aborting a session" in that file.


If you want to implement such a scheme, I reckon you should first verify
your devices support it - Tacacs support varies hugely amongst vendors
and some of them are truly abominable. You can't rely on any mentioned
feature being available or not as the draft above never made it to a
full proper internet standard.



-- 
Alan McKinnon
alan.mckinnon at gmail.com



More information about the tac_plus mailing list