[tac_plus] Questions regarding tacacs+ server config file

veerabhadra veerabhadra at stpi.in
Tue May 22 09:37:36 UTC 2018 

Dear Sir,

Followed your inputs and successfully authenticated users for access to juniper J6350 and Cisco 3660 routers.
Now, i have huawei NE40E-X3A router and done configuration on router , but stuck in tac_server config relating to that.

Please help with template specific to huawei router , if you have.

Regards
Veerabhadra


From: John Fraizer 
Sent: Monday, March 26, 2018 12:58 PM
To: veerabhadra 
Cc: tac_plus 
Subject: Re: [tac_plus] Questions regarding tacacs+ server config file

Take a look at http://www.shrubbery.net/pipermail/tac_plus/2015-April/001622.html 

It will look something like this:

key = "blah-blah-blah"
accounting file = /some/location/tacplus.acct

default authentication = file /etc/passwd

#
# Default group to run all command authentication through do_auth.
#
group = doauthaccess {
        default service = permit

        service = exec {
                priv-lvl = 1
                optional idletime = 30
                optional acl = 2
                shell:roles="\"network-operator vdc-operator\""
                }

        service = junos-exec {
                bug-fix = "first pair is lost"
                local-user-name = "remote"
                allow-commands = "(.*exit)|(show cli auth.*)"
                deny-commands = ".*"
                allow-configuration = ""
                deny-configuration = ".*"
                }
    after authorization "/usr/bin/python /some-location/do_auth.py -i
$address -u $user -d $name -l /some-location/do_auth.log -f
/some-location/do_auth.ini"
}


#
# Default user - Used when no user specific stanza exists in tac_plus.conf.
#
user = DEFAULT {
    member = doauthaccess
    login = PAM
}


Notice that there are two stanzas... One for 'exec' (cisco, cisco-like) and 'junos-exec' (Juniper)...  You simply need to know what 'service' the device in question is going to use and you need a stanza for it...


--
John Fraizer 
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/




On Mon, Mar 26, 2018 at 12:17 AM, veerabhadra <veerabhadra at stpi.in> wrote:

  Sir,

  Authenticating users of network using standalone file for each NAS works fine. ( cisco and juniper separately).
  Please let me know how to combine both cisco and juniper config in single file to authenticate same users of both devices.

  Did not find any details in man pages for combining config for both devices.

  Regards
  Veerabhadra

  -----Original Message----- From: heasley
  Sent: Monday, March 26, 2018 12:32 PM
  To: veerabhadra
  Cc: tac_plus at shrubbery.net ; heasley
  Subject: Re: Questions regarding tacacs+ server config file


  Mon, Mar 26, 2018 at 10:18:52AM +0530, veerabhadra:

    Hi,

    Can i use "single"  tac_plus.conf file to load configuration to authenticate
    cisco and juniper devices at the same time.


  yes.


    If yes, can i have template of the configuration file , please.

    I have the network with cisco and juniper devices and looking to
    authenticate users of both devices using single tacacs server and single
    config file.


  the distribution and installation provide a tac_plus.conf.sample file which
  has an example for nearly all configuration syntax. 
  _______________________________________________
  tac_plus mailing list
  tac_plus at shrubbery.net
  http://www.shrubbery.net/mailman/listinfo/tac_plus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20180522/13a65e10/attachment.html>

More information about the tac_plus mailing list