Tacacs+ using Cisco ACS


#1

We are trying to configure our Vyatta’s to connect on the Cisco ACS via Tacacs+. Using the script found in the following link:

We were able successfully able to authenticate. The issue however, once connected, we are placed in operator mode as opposed to administrator. I have search relentlessly but have failed to come up with a solution. Our other non-Vyatta devices use a shell profile within the ACS with manually entered attributes that are fed to the appliance upon successful authentication. These attributes tell the device which role the user belongs to. I’m not sure what other’s are doing in the Vyatta world because there is little to no documentation on it.

If anyone have been able to successfully connect as admin using Tacacs+ please let me know how it was done.


#2

There must be some settings in the underlying Linux TACACS+ client configuration that you can change. Have you tried creating a local user with the same username as the TACACS+ server with admin privileges? There’s probably a way to tell the TACACS+ client what local-user settings get applied, which unix groups they belong to, etc.


#3

What is the TACACS+ server config for the user you are attempting to login as?


#4

Have you been able to get open source VyOS to talk to ACS? VyOS doesnt have TACACS+ as a protocol option, just RADIUS. I configured RADIUS and I see the request hit the ACS server, but the NAS-IP is 127.0.1.1 which is odd. Obviously a loopback on the box. I tried setting my “lo” interface to a non-loopback IP, but it doesnt seem to matter…still uses 127.0.1.1 in the NAS-IP field.