[tac_plus] Questions regarding tacacs+ server config file
veerabhadra
veerabhadra at stpi.in
Fri Jun 1 04:50:20 UTC 2018
Dear Team,
I am able use tacacs server to authenticate users to connect three different vendors devices viz. Cisco , Juniper and Huawei.
Configuration of tacacs is attached for reference.
Like to know , how to make users create strong password while creating users in tacacs .
I.e is there any way i could make system to ask password of length 10 letter including capital ,special character etc.
Please suggest.
Regards
Veerabhadra
From: veerabhadra
Sent: Tuesday, May 22, 2018 3:07 PM
To: John Fraizer
Cc: tac_plus
Subject: Re: [tac_plus] Questions regarding tacacs+ server config file
Dear Sir,
Followed your inputs and successfully authenticated users for access to juniper J6350 and Cisco 3660 routers.
Now, i have huawei NE40E-X3A router and done configuration on router , but stuck in tac_server config relating to that.
Please help with template specific to huawei router , if you have.
Regards
Veerabhadra
From: John Fraizer
Sent: Monday, March 26, 2018 12:58 PM
To: veerabhadra
Cc: tac_plus
Subject: Re: [tac_plus] Questions regarding tacacs+ server config file
Take a look at http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html
It will look something like this:
key = "blah-blah-blah"
accounting file = /some/location/tacplus.acct
default authentication = file /etc/passwd
#
# Default group to run all command authentication through do_auth.
#
group = doauthaccess {
default service = permit
service = exec {
priv-lvl = 1
optional idletime = 30
optional acl = 2
shell:roles="\"network-operator vdc-operator\""
}
service = junos-exec {
bug-fix = "first pair is lost"
local-user-name = "remote"
allow-commands = "(.*exit)|(show cli auth.*)"
deny-commands = ".*"
allow-configuration = ""
deny-configuration = ".*"
}
after authorization "/usr/bin/python /some-location/do_auth.py -i
$address -u $user -d $name -l /some-location/do_auth.log -f
/some-location/do_auth.ini"
}
#
# Default user - Used when no user specific stanza exists in tac_plus.conf.
#
user = DEFAULT {
member = doauthaccess
login = PAM
}
Notice that there are two stanzas... One for 'exec' (cisco, cisco-like) and 'junos-exec' (Juniper)... You simply need to know what 'service' the device in question is going to use and you need a stanza for it...
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Mon, Mar 26, 2018 at 12:17 AM, veerabhadra <veerabhadra at stpi.in> wrote:
Sir,
Authenticating users of network using standalone file for each NAS works fine. ( cisco and juniper separately).
Please let me know how to combine both cisco and juniper config in single file to authenticate same users of both devices.
Did not find any details in man pages for combining config for both devices.
Regards
Veerabhadra
-----Original Message----- From: heasley
Sent: Monday, March 26, 2018 12:32 PM
To: veerabhadra
Cc: tac_plus at shrubbery.net ; heasley
Subject: Re: Questions regarding tacacs+ server config file
Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra:
Hi,
Can i use "single" tac_plus.conf file to load configuration to authenticate
cisco and juniper devices at the same time.
yes.
If yes, can i have template of the configuration file , please.
I have the network with cisco and juniper devices and looking to
authenticate users of both devices using single tacacs server and single
config file.
the distribution and installation provide a tac_plus.conf.sample file which
has an example for nearly all configuration syntax.
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180601/c7dec0c0/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 260518.txt
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180601/c7dec0c0/attachment.txt>
More information about the tac_plus
mailing list