[c-nsp] Central Authentication (Tacacs+ / Radius)

Michael Markstaller mm at elabnet.de
Tue Apr 5 18:21:52 EDT 2005


I'm migrating from ACS to FreeRADIUS as central AAA solution. 
>From some years running ACS (2.6 - 3.1 on W2k): it lacks of *reliable* SQL-accounting and stability when reaching some hundred concurrent users and has limited flexibility when you try to centralize all AAA (Dialup,xDSL,Device/Admin-auth etc.)
The plus for ACS is the working and well documented frontend and quite simple usage, the minus stability (i.e. when relying on acct for billing) some security flaws "by design" (i.e. you cannot use SecurID for auth against the ACS frontend itself which opens a big hole), limited delegation of admin-rights to other admins..

There are still some dozens IOS-versions out where i.e. TAC+ failover doesn't work at all or only occassionally going as far as locking you out of the box when the primary is down; I never had failover-troubles on IOS using radius. 

But when you need things like command authorization or have a smaller set of devices to do simple AAA only for administrative reasons, you'll be easier and probably better off with ACS and TAC+

Michael


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vandy Hamidi
> Sent: Monday, April 04, 2005 10:33 PM
> To: cisco-nsp at puck.nether.net
> Cc: David Devanna
> Subject: [c-nsp] Central Authentication (Tacacs+ / Radius) 
> 
> I'm looking to (finally) implement a central AAA server.
> I'm not looking to integrate with AD/LDAP, just a local DB on 
> a central
> server.  Just a simple Authen, Author, and Accounting server 
> for tiered
> access and logging capabilities.
> 
> In the past I've used CiscoSecure Tacacs+ server and it worked quite
> well.
> I was planning on using it again, but wanted to see if the group could
> recommend a newer (CS is from 2002 I believe) AAA server.
> 
> Please share your experiences and recommendations, I would appreciate
> hearing what others use or don't use and why.
> 
> 	-=Vandy=-
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



More information about the cisco-nsp mailing list