[nsp] TACACS+ server of choice?
Chris Parker
cparker at starnetusa.net
Tue Jan 27 21:41:50 EST 2004
At 08:16 PM 1/27/2004, John Wong wrote:
>I'm not sure if RADIUS is capable of doing EXEC command
>accounting but TACACS+ sure can.
RADIUS, yes. Just send an Accounting-Request packet. However,
IOS does not do this. :\
>Security-wise, RADIUS should be avoided to authenticate
>network-devices. If you're concerned about security (and
>you should), TACACS+ seems to be the best choice. TACACS+
>encrypts the entire packet and is TCP based making it
>less likely to be spoofed (like RADIUS UDP packets).
Yes, that's one problem with RADIUS. Though, VSA's are opaque,
so there's nothing requiring the 'auth-priv level' and such
to be sent clear text in the VSA payload. Even using the
same MD5 hash on the VSA payload ala User-Password attribute
would be better than clear-text, IMHO.
IPSec comes to mind as well, if this is concern. If it's a
critical device, an OTP method would hopefully be in use
regardless, so even a captured packet/session cannot be
replayed.
>For TACACS+ s/w, SourceForge has it all. For RADIUS, I
>use FreeRadius which is a highly configurable & modular
>RADIUS server.
Definitely agree here.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
More information about the cisco-nsp
mailing list