New snapshot: tac_plus: Multi-key support

251 views
Skip to first unread message

Marc Huber

unread,
Feb 27, 2011, 7:55:21 AM2/27/11
to Event-Driven Servers
Today's snapshot

http://www.pro-bono-publico.de/projects/src/DEVEL.201102271335.tar.bz2

adds support for multiple key definitions to tac_plus. This may come
handy if you need to switch to a new key (e.g. old key was
compromised, regular key change intervals, ...).

Example:

host = ... {
...
key = key_one
key = key_two
key warn = key_three
...
}

The "warn" keyword is optional and will log a message to syslog in
case the particular key is used. Keys will be tried in order, and the
first one that succeeds in decoding a packet will be used for the
particular connection.

Cheers,

Marc

Aaron Turner

unread,
Feb 28, 2011, 12:56:54 PM2/28/11
to event-driv...@googlegroups.com
That's a great feature Marc. I've been wondering how we'd ever be
able to change the key- this makes it easy. The warn feature was a
great touch!

-Aaron

> --
> You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
> To post to this group, send email to event-driv...@googlegroups.com.
> To unsubscribe from this group, send email to event-driven-ser...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/event-driven-servers?hl=en.
>
>

--
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"

Blake

unread,
Mar 31, 2011, 3:44:39 PM3/31/11
to Event-Driven Servers
I'm trying to get a tac_plus server running as a replacement to Cisco
ACS, while configuring the tac_plus.conf I'm running into an issue.
The server will be used for authenticating many routers we have
deployed and they are all divided up into different groups. Each
group has a different key in use already and each group has at least
300 devices in it.

While trying to add multiple keys to the conf file, I get an error
when trying to restart tacacs_plus service.

The error states:
Error: Duplicate value for <string> testing123 and testing on line 88

the .conf file has the following in it:
host = x.x.x.x {
key = testing123
key = testing
}

What am I missing that is not allowing me to use multiple keys on this
server? Thanks in advanced!

Marc Huber

unread,
Apr 1, 2011, 3:43:14 AM4/1/11
to Event-Driven Servers
Hi Blake,

On 31 Mrz., 21:44, Blake <blakest...@gmail.com> wrote:
> Error: Duplicate value for <string> testing123 and testing on line 88

this error message indicates that you're running a snapshot older than
201102271335.

> What am I missing that is not allowing me to use multiple keys on this
> server? Thanks in advanced!

You'll need to upgrade to the current snapshot.

Cheers,

Marc

Paul Marin

unread,
Apr 1, 2011, 10:31:41 AM4/1/11
to event-driv...@googlegroups.com
Hi Blake,

I am trying to do same, this is, to get a tac_plus server running as a
replacement to Cisco ACS. Moreover, i have tried the multikey support of
tac_plus and it worked for me.

The tac_plus version that i am running is 201103121227

Kindly,

Paul


El 31/03/2011 03:14 p.m., Blake escribi�:

Blake

unread,
Apr 4, 2011, 4:51:49 PM4/4/11
to Event-Driven Servers
Thanks a lot for the reply, this is exactly what my issue was. The
Ubuntu package for tac_plus apparently is pretty old. New replacement
ACS is now up and running! :)

Thanks again,
Blake

Paul Marin

unread,
Apr 4, 2011, 5:42:56 PM4/4/11
to event-driv...@googlegroups.com
Is there an ubuntu package for tac_plus? I didn't know that...

Paul


El 04/04/2011 04:21 p.m., Blake escribi�:

Reply all
Reply to author
Forward
0 new messages