Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Steel Belted Radius for TACACS+ configuration issue

SOLVED
Go to solution
peter-cheng
New Contributor
‎10-08-2018 08:29:PM
‎10-08-2018 08:29:PM

Steel Belted Radius for TACACS+ configuration issue

Hello sir,
Recently we install the SBR. And one concept we need to clarify:
1. Can we only use SBR's TACACS+ server's AAA functions without enabling radius server ?
We only  enable parameter “EnableTACACSPlusServer”by setting to 1 in the “radius.ini”file and configure “tac_plusd.cfg” file. and it seems to work, but I'm not sure if it's correct procedure.

 

2. If user wants to use SBR as TACACS+ server, Is it a must that we need
to enable radius server function and configure it to forward to its
TACACS+ server itself? (enable Pass Through Authentication function?)
Or just like I said in item 1, enable tacacs+ and configure tac_plusd.cfg?

 

Thanks a lot.

0 Kudos
2 ACCEPTED SOLUTIONS

Accepted Solutions
cbrauckmiller
Frequent Contributor
‎10-09-2018 08:01:AM
‎10-09-2018 08:01:AM

Re: Steel Belted Radius for TACACS+ configuration issue

If the customer is not interested in using RADIUS, they need not configure anything on the SBR side.  If RADIUS traffic is sent to SBR on UDP 1812/1813/1645/1646, SBR will ignore it and silently drop it.

 

Your customer just needs to enable the TACACS+ server in the radius.ini and then edit the .cfg file and add the specific switch/routers and user/groups.  The switch/router will send the TACACS+ request to SBR and our TACACS+ process will process it as expected.

 

Hope that helps

 

Thanks

 

Craig

View solution in original post

cbrauckmiller
Frequent Contributor
‎10-09-2018 08:42:AM
‎10-09-2018 08:42:AM

Re: Steel Belted Radius for TACACS+ configuration issue

Correct.  #1 is the correct option.

 

Thanks

 

Craig

View solution in original post

5 REPLIES 5
cbrauckmiller
Frequent Contributor
‎10-09-2018 06:35:AM
‎10-09-2018 06:35:AM

Re: Steel Belted Radius for TACACS+ configuration issue

Hello, Peter.  Thank you for the questions and post.

 

1.  No, the TACACS+ process is part of the radius executable file and thus cannot be launched separately.  The SBR server will accept inbound RADIUS traffic and will attempt process it.  If nothing is configured, SBR will simply ignore the traffic since no RADIUS clients have been defined.

 

2.  See answer #1

 

Hope this helps.

 

Thanks

 

Craig Brauckmiller

Pulse Secure

peter-cheng
New Contributor
‎10-09-2018 07:57:AM
‎10-09-2018 07:57:AM

Re: Steel Belted Radius for TACACS+ configuration issue

Hi Craig,

 

Thanks for your reply.

As I know the SBR is a radius server. But now user just want to use its TACACS+ to do the AAA, what should we configure? (1) network equipment (switch/router..) configure TACACS setting and SBR modify  the radius.ini setting to enable tacacs+ and then configure tacacs cfg file for the AAA setting

or (2) network equipment (switch/router..) configure Radius setting and SBR enable both radius and tacacs+ server. SBR receives Radius request and then configure an "allow any" policy  then forward to its tacacs+ server for Authentication/Authorization/Accounting?

I'd like to know the correct way to configure TACACS+ server for the network equipment, thanks a lot.

0 Kudos
cbrauckmiller
Frequent Contributor
‎10-09-2018 08:01:AM
‎10-09-2018 08:01:AM

Re: Steel Belted Radius for TACACS+ configuration issue

If the customer is not interested in using RADIUS, they need not configure anything on the SBR side.  If RADIUS traffic is sent to SBR on UDP 1812/1813/1645/1646, SBR will ignore it and silently drop it.

 

Your customer just needs to enable the TACACS+ server in the radius.ini and then edit the .cfg file and add the specific switch/routers and user/groups.  The switch/router will send the TACACS+ request to SBR and our TACACS+ process will process it as expected.

 

Hope that helps

 

Thanks

 

Craig

peter-cheng
New Contributor
‎10-09-2018 08:39:AM
‎10-09-2018 08:39:AM

Re: Steel Belted Radius for TACACS+ configuration issue

Hi Craig,

 

So the answer is my option (1) ,right?

No need to deliberately set SBR's radius server of pass through authentication function and then forward the request to its own tacacs server, right?

 

Thanks.

0 Kudos
cbrauckmiller
Frequent Contributor
‎10-09-2018 08:42:AM
‎10-09-2018 08:42:AM

Re: Steel Belted Radius for TACACS+ configuration issue

Correct.  #1 is the correct option.

 

Thanks

 

Craig

© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.