[c-nsp] Re: TACACS+ and RADIUS - Oliver Boehmer (oboehmer) - net.nether.puck.cisco-nsp

1 message in net.nether.puck.cisco-nsp[c-nsp] Re: TACACS+ and RADIUS

From	Sent On	Attachments
Oliver Boehmer (oboehmer)	Jan 17, 2005 12:24 pm

	Permalink for this message Paste this link in email or IM:
	Permalink for this thread Paste this link in email or IM:
	Atom feed for this thread Paste this URL into your reader:

Subject:	[c-nsp] Re: TACACS+ and RADIUS	Actions...
From:	Oliver Boehmer (oboehmer) (oboe...@cisco.com)
Date:	Jan 17, 2005 12:24:13 pm
List:	net.nether.puck.cisco-nsp

Hi Michael,

Michael Estridge <> wrote on Monday, January 17, 2005 4:03 PM:

I currently have TACACS+ setup and working in a test environment. I am able to have certain users authenticate to a switch based on the local config file on the TACACS+ server. Those users are limited to certain commands and all is working fine. I have been asked to try and make it work so that the TACACS+ server will proxy the authentication requests to an existing radius server. After the authentication has been successful I still need each user and/or groups commands limited based on the TACACS+ server config file. Has anyone done anything like this? Is it possible? Thanks for any input.

Well, everything is possible if you hack your Tacacs+ server, but in general both protocols are incompatible in this regard: While T+ uses distinct Authentication and Authorization requests, Radius is not able to distinguish these two, it just knows about Authentication and Accounting. This is why Authen&Author attributes are put together in an Access-Accept packet..

oli

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets
	Permalink to these results Paste this link in email or IM:
	Atom feed for tracking future search results Paste this URL into your reader: