cancel
Showing results for 
Search instead for 
Did you mean: 

Steel Belted Radius for TACACS+ configuration issue

SOLVED
New Contributor

Steel Belted Radius for TACACS+ configuration issue

Hello sir,
Recently we install the SBR. And one concept we need to clarify:
1. Can we only use SBR's TACACS+ server's AAA functions without enabling radius server ?
We only  enable parameter “EnableTACACSPlusServer”by setting to 1 in the “radius.ini”file and configure “tac_plusd.cfg” file. and it seems to work, but I'm not sure if it's correct procedure.

 

2. If user wants to use SBR as TACACS+ server, Is it a must that we need
to enable radius server function and configure it to forward to its
TACACS+ server itself? (enable Pass Through Authentication function?)
Or just like I said in item 1, enable tacacs+ and configure tac_plusd.cfg?

 

Thanks a lot.

5 REPLIES 5
Moderator

Re: Steel Belted Radius for TACACS+ configuration issue

Hello, Peter.  Thank you for the questions and post.

 

1.  No, the TACACS+ process is part of the radius executable file and thus cannot be launched separately.  The SBR server will accept inbound RADIUS traffic and will attempt process it.  If nothing is configured, SBR will simply ignore the traffic since no RADIUS clients have been defined.

 

2.  See answer #1

 

Hope this helps.

 

Thanks

 

Craig Brauckmiller

Pulse Secure

New Contributor

Re: Steel Belted Radius for TACACS+ configuration issue

Hi Craig,

 

Thanks for your reply.

As I know the SBR is a radius server. But now user just want to use its TACACS+ to do the AAA, what should we configure? (1) network equipment (switch/router..) configure TACACS setting and SBR modify  the radius.ini setting to enable tacacs+ and then configure tacacs cfg file for the AAA setting

or (2) network equipment (switch/router..) configure Radius setting and SBR enable both radius and tacacs+ server. SBR receives Radius request and then configure an "allow any" policy  then forward to its tacacs+ server for Authentication/Authorization/Accounting?

I'd like to know the correct way to configure TACACS+ server for the network equipment, thanks a lot.

Moderator

Re: Steel Belted Radius for TACACS+ configuration issue

If the customer is not interested in using RADIUS, they need not configure anything on the SBR side.  If RADIUS traffic is sent to SBR on UDP 1812/1813/1645/1646, SBR will ignore it and silently drop it.

 

Your customer just needs to enable the TACACS+ server in the radius.ini and then edit the .cfg file and add the specific switch/routers and user/groups.  The switch/router will send the TACACS+ request to SBR and our TACACS+ process will process it as expected.

 

Hope that helps

 

Thanks

 

Craig

New Contributor

Re: Steel Belted Radius for TACACS+ configuration issue

Hi Craig,

 

So the answer is my option (1) ,right?

No need to deliberately set SBR's radius server of pass through authentication function and then forward the request to its own tacacs server, right?

 

Thanks.

Moderator

Re: Steel Belted Radius for TACACS+ configuration issue

Correct.  #1 is the correct option.

 

Thanks

 

Craig