Tacacs "Problem"

cyberpete · ‎02-22-2006

Folks, if I can leverage your headspace for a moment... We have Tacacs security authentication to our switches and routers. It is configured to request a user name, and then a password. The password is a dynamic numeric combination of 2 separate numbers - a numeric value held privately by the user, appended to the key code showing on the RSA SecurID key fob, at that time. So obviously the password credentials to gain entry to the device will keep changing every minute. We have an application that needs to automatically login to a router (or switch) and pull off the config regularly at a scheduled time. This application will only be able to offer to Tacacs a user name and STATIC password (Not one that keeps changing every 60 seconds). My question therefore is how can we configure the Tacacs process to deal with a request for "static" password (by which I mean a password that does not change) for one particular user (i.e. the application) and at the same time the Tacacs process should also continue to recognise other usernames that DO require the SecurID dynamic password entry system.

I am working though the Tacacs info at cisco.com but it is dense subject matter and I have time pressure - Thanks in advance - Peter@it-123.co.uk

gfullage · ‎02-22-2006

ACS will always check its internal user database first before sending authentication parameters (username/password) off to a configured external server.

All you need to do is add the static username/password into the ACS user database, the application will then be able to use that. When any "user" connects in, ACS won't find that userid in its internal database and will then go and send the credentials off to the external RSA server just like it is now.