Dear Folks, > Message: 8 > Date: Tue, 22 May 2007 18:47:21 -0700 > From: Daniel Lacey <[EMAIL PROTECTED]> > Subject: Re: [Nagios-users] Any experience with check_tacacs_plus.pl
> > I don't know this platform, but.... > > A TACACS+ server's password database should be invisible to a > TACACS client. > The server's purpose is to authenticate in a way that makes > such details > irrelevant. > > I would create a separate user for this with little to no > authorization... You just need to test the authentication server. > The user and password will be stored somewhere in plain text > so that the > script using Authen::TACACSPlus will know how to connect to > the server. > There are source RPMS for Authen::TACACSPlus so the overhead of this Perl plugin is not too bad. check_tacacs_plus works nicely with the Cisco Secure ACS after 1 the ACS is configured to recognise the Nagios hosts (ie names + addresses of all interfaces) 2 a user is created on the ACS that the plugin will use to check that the users password is validated. A less attractive aspect of this plugin is that the TACACS+ secret key needs to be known to the Nagios host. Having a separate (from production) key seems like a good idea but since the plugin accepts username and pw as options, they are visible to other users on the Nagios host (unless you use ePN or hack the plugin). I am grateful to the plugins authors (P Farmer et al) for this. Nice job. Thank you, Yours sincerely. Classification: UNCLASSIFIED ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null