[tac_plus] Re: after authorization
ibatterb at gmail.com
Fri Oct 31 19:34:00 UTC 2008
Sorry, I seem to have missed out a few words there - to clarify, the PIX
is using tacacs to verify users who are terminating a VPN on it.. in
other words, this is not for authorizing CLI commands, but rather to
validate VPN user credentials. As a side issue, it also validates exec
users trying to connect, but that's not what I'm trying to deal with at
In addition to validating the user's name and password, I need tac_plus
to pass back an AV pair that tells the PIX which group policy to apply
to the conneting VPN user. I believe this can be done with radius or
cisco ACS by returning a value for "IETF-Radius-Class" - and from what
I can see of the tacacs+ protocol, it should be able to do the same
thing. The issue is how do I tell tac_plus to return that AV pair.
Lance Vermilion wrote, On Sat 01/11/2008 03:52:
> What do you have set for your AAA statements on your PIX? What
> commands are you executing on your PIX that you think require
> On Thu, Oct 30, 2008 at 11:48 PM, Ian Batterbee <ibatterb at gmail.com
> <mailto:ibatterb at gmail.com>> wrote:
> > the client has to use authorization. also see the -d/debug options.
> You mean as opposed to authentication ? The client in this case is a
> PIX that's using tacacs to verify the user's credentials.
More information about the tac_plus