Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tacacs+ and Groups

Status
Not open for further replies.
Saeed42

Saeed42

ISP
Jul 4, 2001
147
We have Routers dotted around the country and we use Tacacs+ for authentication, now what we need to do is to allow local admins to have access to their local router only, and this is where I'm running into few problems.

Tacacs+ uses the default Linux "passwd" file and anyone with an active account on these two servers can access the routers, switches and firewalls. how would you go about so that some users can access certain devices while others can access everything, do I need to use Authorization instead of authentication


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Sort by date Sort by votes
You should be able to put the users into groups and restrict the list of allowed NAS for each group.

This works on the Windows version, I have never used the linux version

HTH,
Michael.
 
Upvote 0 Downvote
We already have groups, and users are members of groups which determines what commands they can run, but I'm not sure how to stop certain groups from logging into certain routers without access-list


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Upvote 0 Downvote
In the group configuration can you see a list of allowed NAS?

I think that on the windows version (2.6) that I used to use you were able to restrict the groups to a list of valid NAS (Network Access Servers). Each router needs to be configured as a NAS for CiscoSecure to authenticate logins, so you should be able to restrict groups to specific routers. (I think this is how it worked, I am a little rusty on it).

I am hoping to have a new installation of ACS in my current position very soon. Might be able to give more help then. Not sure how different the unix implementation of ACS is either...

HTH,
Michael.
 
Upvote 0 Downvote
The only thing each group seems to have is list of what commands they can execute and group password. Do you remember what commands you had in your tacacs+ config file? I'm pretty sure the Linux and the Windows version are probably similar and seeing that config file would probably point me to the right direction.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
368
CPM86
CPM86
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
397
Lccarter
Lccarter
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
245
acabezas2014
acabezas2014
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
255
mrdom
mrdom
dmourghen
  • Locked
  • Question
PBR issue and Access-list
Replies
0
Views
269
dmourghen
dmourghen

Part and Inventory Search

Sponsor

Back
Top