Penguin

Differences between current version and predecessor to the previous major change of TACACS.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 4 Last edited on Wednesday, October 1, 2003 7:54:03 pm by AristotlePagaltzis
Older page: version 1 Last edited on Tuesday, April 1, 2003 3:07:54 pm by CraigBox Revert
@@ -1,7 +1,17 @@
-[Acronym] for Terminal Access Controller Access Control System
+[Acronym] for __T__erminal __A__ccess __C__ontroller __A__ccess __C__ontrol __S__ystem
  
 [Cisco]'s protocol for allowing a NetworkAccessServer (or more commonly, a number of them) to offload user administration to a central server. 
  
 Described in RFC:1492. 
  
 You probably won't see this much outside of [Cisco] gear. Compare [RADIUS]. 
+  
+!! Linux Alternative: [XTacacs | http://www.rc.unesp.br/polo/tacacs/]  
+  
+__xtacacsd__ is an extended [TACACS] server (for [Cisco] network devices) which authenticates users logging onto a terminal server (or any host which cares to query the server). It uses the standard password file (__/etc/passwd__) by default, or an alternate list of password files.  
+  
+This program can be used to authenticate users when they try to access a terminal server ([Cisco] terminal servers support this option). The server can log information about all queries coming to the server using syslog(2). It is meant to be invoked by inetd(8) but can be run from a terminal in standalone mode if desired. In this mode, it writes all errors to the controlling terminal. It the __-d__ option is specified on the command line (along with __-s__), it will not fork so all debug messages and errors will be printed on the stderr.  
+  
+The server expects a username and password to be supplied in the query packet recieved from the terminal servers. This username and password are authenticated by searching in the password file(s). (The default is __/etc/passwd__ but up to five alternate filenames can be specified). If it cannot find a match in any of the password files, it sends an authentication failure reply to the query (unless the quiet option is specified in which case no negative response will be sent).  
+  
+The server always returns an authentication failure for any queries that have a uid of 0 (the SuperUser) or for any users that do not have a password (null password field) in the password files. It also verifies that the account is current and not expired if the last password field (__pw_shell__) supports this feature (or if the password file has an expiry field on System V based machines). Finally, permissions are checked for the request by matching the username, group-id and gecos field of the user in the [TACACS] request (the groups listed in the __/etc/groups__ file are checked as well).