michael,
why don't you contact me privately and I will show you how it can be
done. I am NOT an expert with TACACS with I have done enough in the last
12 months that I think I am quite good with it. I work for an ISP and
basically we have to manage about 400 routers and switches. Since there
are about 80 people who actually have to get their hands on the routers
everyday, there has to be a way to keep track of who is doing what to
the routers and switches. We develop TACACS "in house" from the freeware
source code at cisco. This TACACs server is running on Linux platform
and it performs beatifully. This TACACS server has the capability to
give "each" and every individual users both his/her EXEC password as well
as the Privilege level-15 password. This TACACS server is also capable
of AAA accounting of every users and every commands that users perform to
the routers. In other words, everything is "logged". I also develop a
script that monitors the TACACS server process in case the process dies
unexpectely. In that case, the process will attempt to restart itself.
If it can not restart, it will send me an email telling me why it can not
restart. If it successfully restarts itself, it also sends me an email.
Before, I arrive, my company was thinking of implementing Cisco ACS
running on NT platforms (Yikes). We are talking about spending about
quite a bit of money (for both NT os and Cisco ACS software). I don't
have experiences with Cisco ACS; however, I was able to save the company
a lot of money with TACACS server running on linux platforms (Intel
pentium 200 MHz will do the trick).
Again, it is not very difficult to implement. Contact me off-line if you
are interested. However, if you are not "unix" literate, you will have
difficulty implement TACACS on unix platforms. You don't have to be
"unix gurus", just enough to get by.
Sean, (p.s. please include your phone number if you want me to get in
touch with you. I am in the East Coast)
Here is sample AAA accounting from my tacacs accounting file:
Sun Sep 9 12:58:03 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=86 start_time=1000054682 timezone=EDT service=shell priv-lvl=1
cmd=show interfaces Ethernet 0 0
Sun Sep 9 12:58:14 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=87 start_time=1000054693 timezone=EDT service=shell priv-lvl=15
cmd=write memory
Sun Sep 9 13:04:09 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=88 start_time=1000055048 timezone=EDT service=shell priv-lvl=0
cmd=exit
Sun Sep 9 13:04:10 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=64 start_time=1000054411 timezone=EDT service=shell disc-cause=1
disc-cause-ext=1020 elapsed_time=638 nas-rx-speed=0 nas-tx-speed=0
Wed Sep 12 18:23:30 2001 172.16.1.1 mojo tty66 206.173.58.175 start
task_id=89 start_time=1000333410 timezone=EDT service=shell
Wed Sep 12 18:29:56 2001 172.16.1.1 mojo tty66 206.173.58.175 stop
task_id=90 start_time=1000333796
1000649926 timezone=EDT service=shell priv-lvl=0 cmd=enable
Sun Sep 16 10:18:53 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=93 start_time=1000649932 timezone=EDT service=shell priv-lvl=15
cmd=configure terminal
Sun Sep 16 10:18:55 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=94 start_time=1000649934 timezone=EDT service=shell priv-lvl=0
cmd=exit
Sun Sep 16 10:18:57 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=95 start_time=1000649937 timezone=EDT service=shell priv-lvl=15
cmd=show running-config
Sun Sep 16 10:19:06 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=96 start_time=1000649945 timezone=EDT service=shell priv-lvl=15
cmd=configure terminal
Sun Sep 16 10:19:11 2001 172.16.1.1 learn_cisco tty66 172.16.1.70 stop
task_id=97 start_time=1000649950 timezone=EDT service=shell priv-lvl=15
cmd=no aaa group server tacacs+ primary
>From: "michael" >Reply-To: "michael" >To: [EMAIL PROTECTED] >Subject:
seraching for tacacs server [7:20872] >Date: Mon, 24 Sep 2001 02:14:10
-0400 > >Dear all, > >i would kindly ask you to help me with my following
question: > >i would like to use tacacs+ for user and password
authentication, changes >of passwords >every month, accounting, etc.. on
each router >we currently using about 300 routers at the moment and
growing.... > >Could somebody recommend a product such delivers the above
requests ? >i testing CiscoSecure (ACS) at the moment, but is ACS the
misconduct and Nondisclosure violations to [EMAIL PROTECTED]
------------------------------------------------------------------------
Get your FREE download of MSN Explorer at http://explorer.msn.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20946&t=20872
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
