[c-nsp] Central Authentication (Tacacs+ / Radius)

Dennis Peng dpeng at cisco.com
Tue Apr 5 13:00:59 EDT 2005


Mohacsi Janos [mohacsi at niif.hu] wrote:
> 
> 
> 
> 
> On Mon, 4 Apr 2005, Network.Security wrote:
> 
> > One thing to keep in mind in the Accounting Dept. with the Cisco ACS is
> > that it doesn't do (or I could never make it do) Radius Command
> > Accounting, I've never delved deep enough to know if it's a limit of the
> > Radius protocol or Cisco's bias towards TACACS, so if that's a decision
> > point for you... be mindful.

It's mainly a limitation of the RADIUS protocol (doesn't support
command accounting). It's possible to hack support into it, but we
haven't done so yet.

> >
> Cisco's bias towards TACACS is not true anymore. Cisco seems to be not 
> developing any longer the TACACS protocol to support certain features like 
> IPv6, while Radius (Cisco implementation also) is evolving constantly.
> If you select RADIUS, you will use more standardised methods.

The way TACACS+ and RADIUS are implemented in IOS, it is virtually
impossible for us to implement functionality in RADIUS, but not in
TACACS+. You might see a lot of RADIUS profiles in our documentation
(especially new feature docs), but those should all be doable with
TACACS+ as well.

Dennis
 
> You can look at TACACS - RADIUS comparison page at:
> http://www.gazi.edu.tr/tacacs/docs/tac_rad_comp.html
> 
> but this comparison is rather old now (1999), and RADIUS extensions are 
> resolved most of deficiencies listed there.
> 
> Regards,
> 
> 
> Janos Mohacsi
> Network Engineer, Research Associate
> NIIF/HUNGARNET, HUNGARY
> Key 00F9AF98: 8645 1312 D249 471B DBAE  21A2 9F52 0D1F 00F9 AF98
> 
> 
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vandy Hamidi
> > Sent: Monday, April 04, 2005 3:33 PM
> > To: cisco-nsp at puck.nether.net
> > Cc: David Devanna
> > Subject: [c-nsp] Central Authentication (Tacacs+ / Radius)
> >
> > I'm looking to (finally) implement a central AAA server.
> > I'm not looking to integrate with AD/LDAP, just a local DB on a central
> > server.  Just a simple Authen, Author, and Accounting server for tiered
> > access and logging capabilities.
> >
> > In the past I've used CiscoSecure Tacacs+ server and it worked quite
> > well.
> > I was planning on using it again, but wanted to see if the group could
> > recommend a newer (CS is from 2002 I believe) AAA server.
> >
> > Please share your experiences and recommendations, I would appreciate
> > hearing what others use or don't use and why.
> >
> > 	-=Vandy=-
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list