[RADIATOR] Configuring TACACS+ for V0 clients

Roth, Alfred Alfred.Roth at avocent.com
Tue Aug 26 17:41:06 CDT 2008 

Hi,

                We are evaluating Radiator because of its IPv6
capability, and have confirmed that it works with our appliances for the
most part.  However, we have run into one problem.  We need to be
backward compatible with TACACS+ V0 clients, and I have been unable to
correctly configure TACACS+ so that we can authenticate with users
either from the /etc/radiator/users file or the /etc/passwd file on our
Radiator server.  Here is a copy of our radius.cfg file:

-------------------------------

# radius.cfg

#

# Example Radiator configuration file.

# This very simple file will allow you to get started with 

# a simple system. You can then add and change features.

# We suggest you start simple, prove to yourself that it

# works and then develop a more complicated configuration as required.

#

# This example will authenticate from a standard users file in

# DbDir/users and log accounting to LogDir/detail.

#

# It will accept requests from any client and try to handle request

# for any realm.

#

# You should consider this file to be a starting point only

# $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $

 

#Foreground

LogStdout

LogDir          /var/log/radius

DbDir           /etc/radiator

# Use a low trace level in production systems. Increase

# it to 4 or 5 for debugging, or use the -trace flag to radiusd

Trace           5

 

# Licensing information (Silva & Alfred on Aug 13th)

 

LicenseMaxRequests 0

LicenseExpires 2009-08-01

LicenseOwner Avocent Corporation USA

# I removed the license key from this email

 

# IP and port configuration (Silva & Alfred on Aug 13th)

 

BindAddress
172.26.29.68,127.0.0.1,ipv6:2ffb:2222:3333:4401:290:fbff:fe81:5f9a,ipv6:
::1

AuthPort 1812

AcctPort 1813

 

<ServerTACACSPLUS>

    BindAddress
172.26.29.68,127.0.0.1,ipv6:2ffb:2222:3333:4401:290:fbff:fe81:5f9a,ipv6:
::1

    Port 49

    Key cyclades-tacacs

</ServerTACACSPLUS>

 

# You will probably want to add other Clients to suit your site,

# one for each NAS you want to work with

<Client DEFAULT>

        Secret  cyclades

        DupInterval 0

</Client>

 

<Realm DEFAULT>

        <AuthBy FILE>

                Filename %D/users

        </AuthBy>

#       <AuthBy UNIX>

#               Identifier System

#               Filename /etc/passwd

#       </AuthBy>

 

        # Log accounting to a detail file

        AcctLogFileName %L/detail

</Realm>

<AuthBy SYSTEM>

        Auth-Type System

</AuthBy SYSTEM>

-----------------------------------

 

Here are the pertinent users from our users file:

 

u_global User-Ppassword = u_global

        Service-Type = Framed-User,

        Framed-Protocol = PPP

 

 

u_login Auth-Type = System

 

ldelpilar       Auth-Type = System

        Service-Type = Framed-User

        Framed-Protocol = PPP

 

I am assuming that u_global would authenticate from the users file
itself, but u_login and/or ldelpilar would authenticate from
/etc/passwd.  I have added the last two users to /etc/passwd on the
Radiator server.  We have the ability to configure our appliance to be
either a V0 or V1 Client, and have confirmed that it works with a
freeradius RADIUS server.

 

Please give me any configuration advice you can, and confirm that
Radiator works with both types of TACACS+ client.

 

Regards,

 

Al Roth

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080826/151fab96/attachment.html>

More information about the radiator mailing list