(RADIATOR) New Tacacs+ server ability for Radiator

Troy Holder troy at ncstate.net
Tue Sep 2 08:51:43 CDT 2003 

It is actually very easy to set up. First you have to configure
Radiator. Here is the Tacacs+ parts of my beginning config file:
<ServerTACACSPLUS>

	Key Test
	
	AddToRequest	Class=TACACS

</ServerTACACSPLUS>

<AuthBy GROUP>
	
	Identifier Test
	
</AuthBy>


<Handler Class = TACACS > 
	
	AcctLogFileName		/local/radius/authlog/commands/%g-%i-%f
	AuthBy Test

</Handler>

I have some more work to do on the Radiator config. Since we do no
authentication with Tacacs, I will probably send Reject for all auth
requests as a safeguard. The AddToRequest is in there so that I can
distinguish Tacacs+ to Radius request from other Radius requests.

On the Cisco IOS device you have to add the following lines:
set tacacs server IP.Of.Server primary
set tacacs key Test
set accounting commands enable all stop-only tacacs+

In the logfile you will see:
Thu Aug 28 14:45:40 2003
        NAS-IP-Address = IP.Of.Cisco.Device
        Timestamp = 1062096340
        Class = "TACACS"
        User-Name = "userid"
        cisco-avpair = "task_id=64"
        cisco-avpair = "start_time=1062096340"
        cisco-avpair = "timezone=EST"
        cisco-avpair = "service=shell"
        cisco-avpair = "priv-lvl=15"
        cisco-avpair = "cmd=show radius "
        Timestamp = 0

I just now noticed that Timestamp is in there twice. I don't know why
that is. I am going to work on extracting the cisco-avpair info out so I
can log the info into a DB.

Hope this helps.

On Mon, 2003-09-01 at 09:55, Nicolai van der Smagt wrote:
> Hi,
> 
> We are looking at using Radiator for our Tacacs+ operations. Does
> radiator support tacacs+ command accounting, the accounting of user
> commands entered on the client? If so, any pointers on how to configure
> this?
> 
> Regards,
> 
> Nicolai van der Smagt
> BBned NV
> 
> On Tue, 2003-08-19 at 08:48, Mike McCauley wrote:
> > Hello all,
> > 
> > We are pleased to announce the release of a new module for Radiator that adds 
> > the ability for Radiator to act as a Tacacs+ server.
> > 
> > Tacacs+ is an older Authentication, Authorization and Accounting (AAA) 
> > protocol developed by Cisco, and supported by some Cisco devices.
> > 
> > The new <ServerTACACSPLUS> clause tells Radiator to listen for Tacacs+ 
> > requests and convert them into Radius requests, which can then be satisified 
> > locally by Radiator, or proxied to another Radius server.
> > 
> > The new module and an example configuration file are included in the latest 
> > patches for Radiator 3.6.
> > 
> > Feedback, bugs, issues and suggestions to me please.
> > 
> > Cheers.
-- 
-----------------------------------
| Troy Holder    troy at ncstate.net |
|     Senior Network Engineer     |
|   Communication Technologies    |
| North Carolina State University |
-----------------------------------
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list