3
11
2008
Whilst I feel that TACACS+ is a much better AAA solution for administrative access, it seems harder and harder to find documentation on how to do things, particularly on the server side.
For instance, with Juniper’s screenos when they added TACACS+ support, they documented how to add the config to the firewall, but the details on having to create a new service and set priv levels were left to a KB entry after the fact.
tacacs.org is now available to collect server side snippets, hints and tricks.
Contact me for details on how to contribute.
Comments : No Comments »
Categories : AAA, Security
16
10
2008
This snippet is tested against “recent” Shrubbery tac_plus daemons as of the date of the post.
ScreenOS 6.0+ users may have noticed that you can now configure TACACS+ servers to authenticate admin users. I’ll skip over the details, except to say that as of 6.1.0r3, failover isn’t working to either of the backup servers that you can configure, so use with care.
Also note that this is authentication only, no accounting or authorization (except for privilege levels).
ScreenOS needs a specific service in TACACS+ to authenticate. You can put this in a group or user stanza:
service = netscreen {
vsys = root
privilege = read-write
}
The vsys specifies which vsys that user is allowed to. If you only have one, it’s “root”.
privilege can be read-write, read-only or root. As far as I can tell, root allows you to manage local users and mess with nsrp. Otherwise read-write gets most things done. If you’re specifying a non-root vsys, you can also assign vsys-read-write or vsys-read-only as privileges.
Comments : No Comments »
Categories : AAA, Security, TACACS+
