using the PAM_tacplus without local users defined ?

[prsouren]

Hi,
Would it be possible to have a linux server running without any local users defined and still have the authentication of the clients trying to connect authenticated by the Cisco ACS (AAA) server ?

I now have the setup 1.5.0 running but I do need to create a local user (in disabled state) in order to get access by authentication by ACS. As we have too many users from different groups I wish not to create all those local acounts ?!

Is this possible ?

[daveolson53]

prsouren <[email protected]> wrote:

Hi, Would it be possible to have a linux server running without any local users defined and still have the authentication of the clients trying to connect authenticated by the Cisco ACS (AAA) server ? I now have the setup running but I do need to create a local user (in disabled state) in order to get access by authentication by ACS. As we have too many users from different groups I wish not to create all those local acounts ?! Is this possible ?

Yes, it's possible. You have to either fake out the accounts as being local via NSS (there are several NSS plugins for this), or map the remote users to one or more local users. I took the latter approach for Cumulus Linux. See the repos at https://github.com/daveolson53 In particular, my modified libpam-tacplus (which is out of date with the current master), libnss-tacplus, and libtacplus-map; those 3 are the minimum you would need. Dave Olson [email protected]