"; ?>


TACACS+ / libradius Page



[Motivation] [Way to solve] [Realisation] [Status] [Config Samples] [Download]

1. Motivation for the Project

In the current Internet world exist a lot of networking devices from different manufacturers. Most of them support Radius for authentication and accounting (AAA). But on some devices, there is no working radius support at the moment (e.g. Ciscos Catalyst products) - they just support TACACS.

2. Ways to solve the problem

  • the first idea is to setup all useraccounts as local useraccounts on every box - but then - esp. if the number of devices grows, this is a horrible job if new accounts are needed or old account have to be removed.
  • the next idea is to setup a radius server for the radius only devices and a Tacacs server for the tacacs only devices. But then, you also have to do the work twice, if you have to modify the users database.
  • The last idea is to setup a radius server with the user database and a tacacs server, that authenticates incomming tacacs request against the radius server. The problem is, that there was no tacacs server, which was able to do that.
  • 3. Realisation

    I found a reimplementation of Ciscos free Tacacs+ Server from the Gazi University, Turkey, which was able to be patched for radius support without recoding the most of the program. So - I took the source code and have written some patches to use Juniper Networks libradius (included in FreeBSD 4.x) for the authentication.

    4. Current status

    I have to say, that our requirement is to use the tacacs and radius servers just for authenticating our Network engineers to login to the boxes and modifing the configuration. So - the tacacs proxy is only able to verify the user tying to login. There is currently no support for doing accounting thru the Tacacs Server.

    
    
    
    
    
    
    
    

    Config Samples:

    Run a TACACS Server, that allows login authenticated through a RadiusServer
    radius1.de.cw.net with radiuskey 0815 and the backup RadiusServer
    radius2.de.cw.net with radiuskey 4711 with a Tacacs Key "foobar"

    key="foobar"
    accounting file = /var/log/tac_plus.log
    default authentication = radius "0815,radius1.de.cw.net,4711,radius2.de.cw.net"i
    user = DEFAULT {
    cmd = write {
    permit .*
    }
    cmd = configure {
    permit .*
    }
    }

    Download

    go to the Download Page

    [Motivation] [Way to solve] [Realisation] [Status] [Config Samples] [Download]

    
    
    
    
    © by Martin Mersberger email
    last modified: 23.09.2013 05:57:21
    optimized for 800x600 pix, Netscape 4.x and X11R6

    powered by