Visit Our UNIX and Linux User Community


Configuring Unix(FreeSBD) to authenticate to TACACS


 
Thread Tools Search this Thread
Operating Systems BSD Configuring Unix(FreeSBD) to authenticate to TACACS
# 1  
Old 07-21-2011
Configuring Unix(FreeSBD) to authenticate to TACACS

Can someone please posts the steps needed to configure a UNIX server to authenticate with a TACACS+ server or point me in the right direction been googling for 2 days now. Thanks

Previous Thread | Next Thread
Test Your Knowledge in Computers #354
Difficulty: Medium
gawk is the only awk implementation that makes serious progress implementing internationalization and localization and TCP/IP networking.
True or False?

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Configuring sshd server on UNIX box

I want to configure and run sshd server on my unix box. I already have that installed. # yum -y install openssh-server openssh-clients Loaded plugins: fastestmirror, presto, refresh-packagekit Loading mirror speeds from cached hostfile * base: centos.mirror.constant.com * epel:... (1 Reply)
Discussion started by: nitalchandel
1 Replies

2. IP Networking

Linux Client To Authenticate using TACACS

I have customer who controls access to the internet via TACACS server, basically a PIX firewall uses authentication from the TACACS to say if traffic is allowed to pass out of the gateway. I can't find anything on how to configure a linux client of TACACS authentication only how to set up a linux... (1 Reply)
Discussion started by: metallica1973
1 Replies

3. Cybersecurity

Configuring Unix(FreeSBD) to authenticate to TACACS

Can someone please posts the steps needed to configure a UNIX server to authenticate with a TACACS+ server or point me in the right direction been googling for 2 days now. Thanks (1 Reply)
Discussion started by: supadee718
1 Replies

4. UNIX for Advanced & Expert Users

Configuring Unix(FreeSBD) to authenticate to TACACS

Can someone please posts the steps needed to configure a UNIX server to authenticate with a TACACS+ server or point me in the right direction been googling for 2 days now. Thanks (0 Replies)
Discussion started by: supadee718
0 Replies

5. UNIX for Dummies Questions & Answers

Seek help configuring Sendmail 8.14.4 Unix

Seek help configuring Sendmail 8.14.4 Unix server. Not sure if this is the correct place to post or the Unix/Linux Forums job board. Seeking help configuring sendmail 8.14.4 on my Unix server. It appears I have an open relay. I was advised I need to modify a etc/mail/dir , a command line entry... (0 Replies)
Discussion started by: raecampus
0 Replies

6. Shell Programming and Scripting

Expect/telnet/testing tacacs on a cisco

At times I find the need to test that the tacacs port 49 is open. The code below works but is painfully slow because I have to wait on the timeouts. Examples of possible responds router1#telnet 10.11.20.14 49 Trying 206.112.204.140, 49 ... Open route1#telnet 10.11.19.14 49 Trying... (1 Reply)
Discussion started by: popeye
1 Replies

7. Shell Programming and Scripting

Authenticate Shell script

Hi I want to create a script that will authenticate user from a file and if both of them match then only the script is allowed to be executed... Suppose I have a script say test.sh and a file config.txt for users whose user ids exist in the text file should only be given permission to... (1 Reply)
Discussion started by: ultimatix
1 Replies

8. UNIX for Dummies Questions & Answers

Configuring syslog.conf in a TRU64 UNIX machine

Dear all I want to redirect the logs of the syslog of a tru64 unix machine in a log and event monitoring tool installed in another server. In the syslog.conf i have appended *.*@<server_name> at the end, where <server_name> is the name of the machine on which the reporting tool is running. I... (0 Replies)
Discussion started by: adak2010
0 Replies

9. HP-UX

Configuring NetBatch on UNIX

Hi all, I have installed a software on a local machine running UNIX . Using NetBatch utility, In the COMMUNICATION file on this Local UNIX machine I have added: remote_machine_name:OS: Description:Type so that I can use this remote machine running UNIX to complete jobs which are... (0 Replies)
Discussion started by: molly81
0 Replies
tac_plus(8)						      System Manager's Manual						       tac_plus(8)

NAME
tac_plus - tacacs plus daemon SYNOPSIS
tac_plus -C <configfile> [-GghiLPSstv] [-B <bind_address>] [-d <level>] [-l <logfile>] [-p <tcp_port>] [-u <wtmpfile>] [-w <wholog>] DESCRIPTION
By default, tac_plus listens on tcp port 49 and provides network devices (normally routers and access servers) with authentication, authorization and accounting services. A configuration file controls the details of authentication, authorization and accounting. COMMAND-LINE OPTIONS -C <configfile> Specify the configuration file name. The -C option is required. -B <bind address> Specify the address on which the daemon should bind(2). Successive instances of -B override previous instances. By default, the daemon listens on all addresses. Note: this changes the name of the pid file created by the daemon. -G Remain in the foreground, but not single-threaded nor logging to the tty. -d <level> Switch on debugging. By default the output will appear in the log file and syslog(3). NOTE: The -g flag will cause these messages to also appear on stdout. The -t flag will cause these messages to also be written to /dev/console. The value of level is as described below. These values represent bits that can be logically OR'd together. The daemon logically ORs successive occurrences of the -d option. Value Meaning 8 authorization debugging 16 authentication debugging 32 password file processing debugging 64 accounting debugging 128 config file parsing & lookup 256 packet transmission/reception 512 encryption/decryption 1024 MD5 hash algorithm debugging 2048 very low level encryption/decryption -g Single threaded mode. The daemon will only accept and service a single connection at a time without forking and without closing file descriptors. All log messages appear on standard output. This is intended only for debugging and not for normal service. This option does not work with single-connection sessions. -h Display help message. -i tac_plus will be run from inetd(8). In inetd mode, the configuration file is parsed every time tac_plus starts. If the configuration is large or the frequency of connections is high, this negatively will affect the responsiveness of the daemon. If the config file is small, connections are infrequent, and authentication is being done via passwd(5) files or SKEY (which are not cached), running in inetd mode should be tolerable, but still is not recommended. This option does not work with single-connection sessions. -l <logfile> Specify an alternate log file location. This file is only used when the -d option is used. The logs are still posted to syslog. -L Lookup DNS PTR (Domain Name System PoinTeR) record of client addresses. The resulting FQDN (Fully Qualified Domain Name), if it resolves, will be used in log messages, libwrap (tcp_wrappers) checks, and for matching host clauses of the configuration file. Also see tac_plus.conf(5). -P Parse the configuration file, echo it to standard output while parsing, and then exit. tac_plus will exit non-zero when a parser error occurs. Useful for debugging configuration file syntax. -p <port> Listen on the specified port number instead of the default port 49 for incoming tcp connections. Note: this changes the name of the pid file created by the daemon. -S Enables or allows client single-connection mode, where-by the client will create one connection and interleave queries. Note: this is broken in IOS and IOS-XE. Note: this is currently only partially supported in the daemon. -s Causes the daemon to always reject authentication requests which contain a minor version number of zero (SENDPASS). This enhances security in the event that someone discovers your encryption key. SENDPASS requests permit requesters to obtain CHAP, PAP and ARAP passwords from the daemon, iff the encryption key is known. Note: IOS versions preceding 11.2 will fail. -t Log all informational, debugging or error messages to /dev/console in addition to logging to syslogd. Useful for debugging. -u <wtmpfile> Write wtmp entries to the specified wtmp file. -v Display version information and exit. -w <wholog> Specify the location of the max session file. STARTING
tac_plus is normally invoked by root, as follows: # tac_plus -C <configfile> where <configfile> is a full path to the configuration file. Tac_plus will background itself and start listening on port 49 for incoming tcp connections. Tac_plus must be invoked as root to obtain privileged network socket 49 and to read the protected configuration file, which may contain confidential information such as encryption keys and cleartext passwords. After the port is acquired and the config file is read, root privileges are no longer required. You can arrange that tac_plus will change its user and group IDs to a more innocuous user and group via the configuration file. NOTE: The new user and group still needs permission to read any passwd(5) (and shadow(5)) files and S/KEY database if these are being used. TCP WRAPPERS
If tac_plus was compiled with libwrap (aka. tcp_wrappers) support, upon connection the daemon will consult with tcp_wrappers on whether the client has permission to connect. The daemon name used in a daemon list of the access control file is the name of the executable, normally "tac_plus". See hosts_access(5). PERMISSIONS
The configuration file should be unreadable and unwriteable by anyone except root, as it contains passwords and keys. SIGNALS
If the daemon is receives a SIGHUP or SIGUSR1, it will reinitialize itself and re-read its configuration file. Note: if an error is encountered in the configuration file, the daemon will die. LOG MESSAGES
tac_plus logs error and informational messages to syslog facility LOG_DAEMON. FILES
/var/log/tac_plus.acct Default accounting file. /var/log/tac_plus.log Default log file used when the -d option is used. /var/run/tac_plus.pid Pid file. If the -B option is used, ".bind_address" is appended. If the -p option is used, ".port_number" is appended. SEE ALSO
tac_plus.conf(5), tac_pwd(8) Also see the tac_plus User Guide (user_guide) that came with the distribution. The user guide does not cover all the modifications to the original Cisco version. HISTORY
There are at least 3 versions of the authentication protocol that people commonly refer to as "TACACS". The first is ordinary tacacs, which was the first one offered on Cisco boxes and has been in use for many years. The second is an extension to the first, commonly called Extended Tacacs or XTACACS, introduced in 1990. The third one is TACACS+ (or T+ or tac_plus) which is what is documented here. TACACS+ is NOT COMPATIBLE with any previous versions of tacacs. AUTHOR
The tac_plus (tacacs+) developer's kit is a product of Cisco Systems, written by Lol Grant. Made available at no cost and with no warranty of any kind. See the file COPYING and source files that came with the distribution for specifics. Though heavily modified from the original Cisco manual pages, much of the modifications are derived from the tacacs IETF draft and the Cisco user guide. 27 July 2009 tac_plus(8)

Featured Tech Videos