From Sergey:

"Using tacacs I found that ckfinger() function from maxsess.c module
 returns wrong count of current sessions for users with "maxsess"
 parameter established in tac_plus.conf. It happens if Cisco access
 server works with IOS v 12.x.
 On the other hand ckfinger() works well with IOS v 11.x
 Here are patches for both maxsess.c and port's Makefile to fix
 this problem (but it is just workaround, ckfinger() should be
 fully rewritten)."
From me:
 changed variable name by prepending string "TAC_", so that tacacs+
 ports variables follow an unique scheme.
Please note: this doesn't compile with the new TAC_IOS_VERSION variable
if you have CFLAGS redefined in /etc/make.conf as:
CFLAGS=-pipe -O (or whatever)
You have to use
CFLAGS+=-pipe -O (or whatever)
Mailed to -developers. Am really not sure, what's the culprit here.
Fact is, that a part of CFLAGS get lost when compiling the port,
if you redefine CFLAGS in /etc/make.conf without the "+" sign ...
I personally removed my CFLAGS define in /etc/make.conf as it
defaults to -pipe -O, which is fine for me.

Submitted by:	Sergey E. Levov (serg@informika.ru)

net/tac_plus4/Makefile

@@ -28,6 +28,16 @@ EXTRA_PATCHES=	${PATCHDIR}/extra-patch-ba
 EXTRA_PATCHES+=	${PATCHDIR}/extra-patch-bb
 .endif
 
+# finger output differs for CISCO IOS versions 11 and 12.
+# Define version of your IOS (default is 11): 
+# Example: make TAC_IOS_VERSION=12
+#
+.if defined(TAC_IOS_VERSION)
+CFLAGS+=	-DTAC_IOS_VERSION=${TAC_IOS_VERSION}
+.else
+CFLAGS+=	-DTAC_IOS_VERSION=11
+.endif
+
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/tac_plus ${PREFIX}/sbin
 	${INSTALL_MAN} ${WRKSRC}/tac_plus.1 ${PREFIX}/man/man1/tac_plus.1

net/tac_plus4/files/patch-aa

@@ -1,6 +1,15 @@
---- Makefile.orig	Sat Apr  3 08:03:48 1999
-+++ Makefile	Tue Nov  9 21:48:01 1999
-@@ -31,13 +31,13 @@
+--- Makefile.orig	Sun Jun 18 19:26:54 2000
++++ Makefile	Mon Jan 22 20:22:57 2001
+@@ -19,7 +19,7 @@
+ # LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ # FOR A PARTICULAR PURPOSE. 
+ 
+-CC = gcc
++# CC = gcc
+ 
+ # For AIX
+ # See /usr/lpp/bos/bsdport on your system for details of how to define bsdcc
+@@ -33,13 +33,13 @@
  # OS=-DMIPS
  
  # For Solaris (SUNOS 5.3, 5.4, 5.5, 5.6) uncomment the following two lines
@@ -18,7 +27,7 @@
  # NOTE: If you want your password encryption to be compatible with
  # e.g. SunOS, you may need to instead use:
  # OSLIBS=-ldescrypt
-@@ -62,12 +62,12 @@
+@@ -64,12 +64,12 @@
  # FLAGS   = -DTAC_PLUS_USERID=$(USERID) -DTAC_PLUS_GROUPID=$(GROUPID)
  
  # Definitions for SKEY functionality
@@ -34,7 +43,7 @@
  
  # Enforce a limit on maximum sessions per user. See the user's guide
  # for more information.
-@@ -83,13 +83,13 @@
+@@ -85,13 +85,13 @@
  # possible), containing its process id. Uncomment and modify the
  # following line to change this filename
  
@@ -50,7 +59,7 @@
  
  HFILES = expire.h parse.h regmagic.h md5.h regexp.h tac_plus.h 
  
-@@ -128,8 +128,8 @@
+@@ -130,8 +130,8 @@
  	-rm -f *.o *~ *.BAK tac_plus generate_passwd
  
  install:

net/tac_plus4/files/patch-maxsess.c

@@ -0,0 +1,29 @@
+Using tacacs I found that ckfinger() function from maxsess.c module
+returns wrong count of current sessions for users with "maxsess"
+parameter established in tac_plus.conf. It happens if Cisco access 
+server works with IOS v 12.x.
+On the other hand ckfinger() works well with IOS v 11.x
+
+Here are patches for both maxsess.c and port's Makefile to fix 
+this problem (but it is just workaround, ckfinger() should be 
+fully rewritten).
+
+Best regards,
+Sergey E. Levov (serg@informika.ru)
+
+*** maxsess.c.orig	Fri Jan 19 17:16:46 2001
+--- maxsess.c	Fri Jan 19 17:25:51 2001
+***************
+*** 470,476 ****
+--- 470,480 ----
+  	}
+  	/* Extract username, up to 10 chars wide, starting at char 13 */
+  	nmlen = 0;
++ #if (TAC_IOS_VERSION == 11)
+  	name = p + 13;
++ #else
++ 	name = p + 15;
++ #endif		
+  	for (i = 0; *name && !isspace(*name) && (i < 10); i++) {
+  	    nmbuf[nmlen++] = *name++;
+  	}