[tac_plus] Questions regarding tacacs+ server config file

John Fraizer john at op-sec.us
Mon Mar 26 07:28:11 UTC 2018 

Take a look at http://www.shrubbery.net/pipermail/tac_plus/2015-April/
001622.html

It will look something like this:

key = "blah-blah-blah"
accounting file = /some/location/tacplus.acct

default authentication = file /etc/passwd

#
# Default group to run all command authentication through do_auth.
#
group = doauthaccess {
        default service = permit

        service = exec {
                priv-lvl = 1
                optional idletime = 30
                optional acl = 2
                shell:roles="\"network-operator vdc-operator\""
                }

        service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "remote"
                allow-commands = "(.*exit)|(show cli auth.*)"
                deny-commands = ".*"
                allow-configuration = ""
                deny-configuration = ".*"
                }
    after authorization "/usr/bin/python /some-location/do_auth.py -i
$address -u $user -d $name -l /some-location/do_auth.log -f
/some-location/do_auth.ini"
}


#
# Default user - Used when no user specific stanza exists in tac_plus.conf.
#
user = DEFAULT {
    member = doauthaccess
    login = PAM
}



Notice that there are two stanzas... One for 'exec' (cisco, cisco-like) and
'junos-exec' (Juniper)...  You simply need to know what 'service' the
device in question is going to use and you need a stanza for it...


--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Mon, Mar 26, 2018 at 12:17 AM, veerabhadra <veerabhadra at stpi.in> wrote:

> Sir,
>
> Authenticating users of network using standalone file for each NAS works
> fine. ( cisco and juniper separately).
> Please let me know how to combine both cisco and juniper config in single
> file to authenticate same users of both devices.
>
> Did not find any details in man pages for combining config for both
> devices.
>
> Regards
> Veerabhadra
>
> -----Original Message----- From: heasley
> Sent: Monday, March 26, 2018 12:32 PM
> To: veerabhadra
> Cc: tac_plus at shrubbery.net ; heasley
> Subject: Re: Questions regarding tacacs+ server config file
>
> Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra:
>
>> Hi,
>>
>> Can i use "single"  tac_plus.conf file to load configuration to
>> authenticate
>> cisco and juniper devices at the same time.
>>
>
> yes.
>
> If yes, can i have template of the configuration file , please.
>>
>> I have the network with cisco and juniper devices and looking to
>> authenticate users of both devices using single tacacs server and single
>> config file.
>>
>
> the distribution and installation provide a tac_plus.conf.sample file which
> has an example for nearly all configuration syntax.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180326/140a0634/attachment.html>

More information about the tac_plus mailing list