Home
Paul's_Page
UK_NetDirect
PhotoAlbum:
Phoebe 1,
2, 3,
4
Francie 1, 2
Pets 1, 2
Family 1, 2,
3
Special Occasions
Photo Art
Pre-USAF
Devner
Panama 1, 2,
3, 4-misc
Korea & misc
Germany & misc
Soham & misc
Daws_
Hill:
Page 1, 2,
3,
& misc
Leave '96 Mom
UK
Panama '98: 1, 2,
3
Colorado_ Springs:
Leave '98
Springs 1, 2,
3, 4
& misc
Francie's Birth
Rodriguez'
Holiday
Colorado_Homes
PCI_Systems
Online_Documents:
Catalogs
'n Manuals
Howto's
Linux
Microsoft
Security
Mirrored_Sites:
Hardening
Port
Reference
Reghacks
| | At my place of employment, for TACACS authentication of dial-up Internet
users (who are connecting to our modem pool which are in turn connected to
a couple of Cisco 250x access servers), we are using the Vikas version of
“xtacacsd”. After compiling and installing the Vikas package (latest versions
are available from ftp://ftp.navya.com/pub/vikas; I don't believe the package is
available in RPM format), you should add the following entries to the
``/etc/inetd.conf'' file so that
the daemon will be loaded by the inetd daemon whenever a TACACS request
is received. # TACACS is a user authentication protocol used for Cisco Router products.
tacacs dgram udp wait root /etc/xtacacsd xtacacsd -c /etc/xtacacsd-conf |
Next, you should edit the
``/etc/xtacacsd-conf'' file and
customize it, as necessary, for your system (however you will probably be
able to use the default settings as-is). ![Note](../../images/note.gif) | Note: If you are using shadow passwords (see the section called Linux Password & Shadow File Formats in Chapter 6 for details), you will have some problems
with this package. Unfortunately, PAM (Pluggable Authentication Module),
which Red Hat uses for user authentication, is not supported by this
package. One workaround that I use is to keep a separate
``passwd'' file in
``/usr/local/xtacacs/etc/'' which
matches the one in /etc/ but is non-shadowed. This is a bit of a hassle,
and if you choose to do this make sure you set permissions on the other
password file to make sure it is only readable by root: |
chmod a-wr,u+r /usr/local/xtacacs/etc/passwd |
If you do indeed use shadow, you will most certainly need to edit
the ``/etc/xtacacsd-conf'' file
and location of the non-shadowed password file (assuming you are using
the workaround I have suggested above). The next step is to configure your access server(s) to authenticate
logins for the desired devices (such as dial-up modems) with TACACS.
Here is a sample session on how this is done: mail:/tftpboot# telnet xyzrouter
Escape character is '^]'.
User Access Verification
Password: ****
xyzrouter> enable
Password: ****
xyzrouter# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
xyzrouter(config)# tacacs-server attempts 3
xyzrouter(config)# tacacs-server authenticate connections
xyzrouter(config)# tacacs-server extended
xyzrouter(config)# tacacs-server host 123.12.41.41
xyzrouter(config)# tacacs-server notify connections
xyzrouter(config)# tacacs-server notify enable
xyzrouter(config)# tacacs-server notify logouts
xyzrouter(config)# tacacs-server notify slip
xyzrouter(config)# line 2 10
xyzrouter(config-line)# login tacacs
xyzrouter(config-line)# exit
xyzrouter(config)# exit
xyzrouter# write
Building configuration...
[OK]
xyzrouter# exit
Connection closed by foreign host. |
All TACACS activity log messages will be recorded in
``/var/log/messages'' for your
perusal. |