Recently we install the SBR. And one concept we need to clarify:
1. Can we only use SBR's TACACS+ server's AAA functions without enabling radius server ?
We only enable parameter “EnableTACACSPlusServer”by setting to 1 in the “radius.ini”file and configure “tac_plusd.cfg” file. and it seems to work, but I'm not sure if it's correct procedure.
2. If user wants to use SBR as TACACS+ server, Is it a must that we need
to enable radius server function and configure it to forward to its
TACACS+ server itself? (enable Pass Through Authentication function?)
Or just like I said in item 1, enable tacacs+ and configure tac_plusd.cfg?
Thanks a lot.
Solved! Go to Solution.
Hello, Peter. Thank you for the questions and post.
1. No, the TACACS+ process is part of the radius executable file and thus cannot be launched separately. The SBR server will accept inbound RADIUS traffic and will attempt process it. If nothing is configured, SBR will simply ignore the traffic since no RADIUS clients have been defined.
2. See answer #1
Hope this helps.
Thanks for your reply.
As I know the SBR is a radius server. But now user just want to use its TACACS+ to do the AAA, what should we configure? (1) network equipment (switch/router..) configure TACACS setting and SBR modify the radius.ini setting to enable tacacs+ and then configure tacacs cfg file for the AAA setting
or (2) network equipment (switch/router..) configure Radius setting and SBR enable both radius and tacacs+ server. SBR receives Radius request and then configure an "allow any" policy then forward to its tacacs+ server for Authentication/Authorization/Accounting?
I'd like to know the correct way to configure TACACS+ server for the network equipment, thanks a lot.
If the customer is not interested in using RADIUS, they need not configure anything on the SBR side. If RADIUS traffic is sent to SBR on UDP 1812/1813/1645/1646, SBR will ignore it and silently drop it.
Your customer just needs to enable the TACACS+ server in the radius.ini and then edit the .cfg file and add the specific switch/routers and user/groups. The switch/router will send the TACACS+ request to SBR and our TACACS+ process will process it as expected.
Hope that helps
So the answer is my option (1) ,right?
No need to deliberately set SBR's radius server of pass through authentication function and then forward the request to its own tacacs server, right?