[c-nsp] Deploying RADIUS for user logins ?
Peter Rathlev
peter at rathlev.dk
Mon Mar 3 12:30:03 EST 2008
On Mon, 2008-03-03 at 10:18 -0600, Justin Shore wrote:
> Assuming you're going to do TACACS+ (RADIUS would be similar) here's a
> working AAA config:
<snip>
Very nice example. I've been looking for exactly something like this for
a while. Thanks for sharing. :-)
> You should also come up with a method of generating TACACS keys. You
> could use 1 key per POP or 1 key for the entire network. Personally I
> use a unique key per device. It's probably overkill but it works for
> me. I use a unique strings taken from each device (process board ID for
> example), stick it in a text file, and then perform a md5sum on that
> file. The resulting 32 character string of random characters makes for
> a nice key. It's also reproducible in a pinch.
Just a small note: Make sure not to use information that other people
can see easily(-ish). Often e.g. the base MAC is printed on the outside
of switches, and the MD5 hashing would only protect from network
eavesdropping. But protecting the AAA-server is a requirement
anyway. :-)
Regards,
Peter
More information about the cisco-nsp
mailing list