XTACACS (Extended Terminal Access Controller Access Control System) is a
protocol written by Cisco Systems and defined in RFC 1492. XTACACS supports
authentication, authorization, and accounting.
RFC 1492 An Access Control Protocol, Sometimes Called TACACS. C. Finseth.
July 1993.
TACACS+ Attribute Value List
A TACACS+ Attribute Value List (AVL) is a list of TACACS+ Attribute Value
pairs. TACACS+ Attributes-Value pairs are configurations to be applied to a
user.
For example, the AV pair 'inacl=10' applies the input access control list
10 to a user; the AV pair 'timeout=30' sets an absolute time out value for
auser to 30 minutes.
In general, an AV pair is of the form 'a=b' or 'a*b', in which 'a' is the
attribute and 'b' is the value. The '=' separator indicates that the AV
pair is mandatory, while the '*' separator indicates that the AV pair is
optional.
An Attribute Value List (AVL) is a list of AV pairs separated
by semicolons. For example, the AVL 'inacl=10;outacl=20;timeout=30'
applies the input access list 10, output access list 20 and a timeout value
of 30 minutes to a user.
In practice, the actual supported AVL depends on the capabilities of the
NAS.
For example, for a Cisco NAS running IOS Ver 11.3, the following AV pairs
are supported :
Attribute Meaning
acl Used in Exec or ARAP authorization to indicate an access
class number or an access list number
inacl
Used in TCP/IP over PPP Authorization or SLIP
Authorization to indicate an IP input access
list number
outacl
Used in TCP/IP over PPP Authorization or SLIP
Authorization to indicate an IP output access
list number
addr
Used in TCP/IP over PPP Authorization or SLIP
Authorization to indicate an IP address that
the user should
use
routing
Used in TCP/IP over PPP Authorization or SLIP
Authorization to indicate when routing is
allowed. This value
can be either true or false. For example,
routing=true
timeout
The absolute number of minutes before a session
disconnects.
For Cisco IOS Ver 11.1, this attribute is only
applicable to
Exec Authorization and ARAP Authorization
autocmd
Specifies an autocommand to be executed when
the user logs
in the command shell. For example, autocmd=telnet
123.123.45.34. Used only in Exec Authorization
noescape
Specifies whether the user can use an escape
character. Can
be either true or false. For example,
noescape=true. Used
only in Exec Authorization
nohangup
Specifies not to disconnect after an automatic
command. Can
be either true or false. Used only in Exec
Authorization
priv-lvl
Specifies the privilege level of the user. Can
be from 0 to 15.
Used only in Exec Authorization
addr-pool
Specifies the name of a local pool from which
to get the
address of the user. Used only in TCP/IP over PPP
Authorization
At 01:04 PM 7/12/00 -0700, [EMAIL PROTECTED] wrote:
>Most TACACS+ servers support the RADIUS protocol so you should be able to
>configure the NT RAS server to send AUTH requests to it. As far as
>TACACS+ documentation goes, it's hard to come by but there is a good
>TACACS support group.
>Try http://www.de.easynet.net/tacacs-faq/ or
>http://www.netplex-tech.com/software/xtacacs/ for further information.
>
>Bill Stackpole, CISSP
>
>
>
>Gerardo Soto <[EMAIL PROTECTED]>
>Sent by: [EMAIL PROTECTED]
>
>07/12/00 07:43 AM
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: TACACS+ manuals
>
>Hi everyone:
>
> Lately I have been looking for a white paper or any information
>regarding the tacacs+ administration , I have visited cisco and it gives
>some information about it , but I am mainly interested in the root of it
>, I mean , I would like to know all the commands that one can issue , all
>the different possibilities regarding the famous " AV pairs " and things
>like that, I do not mean to say that cisco does not provide with good
>information but by reading a little bit more I found out that I can have
>differenet access hours, different groups , and such, but I am not too
>certain about how this gets accomplished.
>My question is:
>
>1.- I have cisco router which is usaing TACACS+ that has reached the
>maximun number of lines that it can manage , I do not have the budget to
>buy another one . I am setting up an NT server to add the additional phone
>lines (RAS) how do I get the lines of the NT server to authenticate with
>the TACACS+ server already working ?
>
>
>
> So if anyone can point me to where I can find some light
> about it
>I will be deeply appreciated.
>
>
>Thanks Gerardo,
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
