[c-nsp] Central Authentication (Tacacs+ / Radius)

Vandy Hamidi vandy.hamidi at markettools.com
Tue Apr 5 18:27:01 EDT 2005


Thanks Michael.
Do you know if CiscoSecure is a free product or something I need to
purchase/license.

-----Original Message-----
From: Michael Markstaller [mailto:mm at elabnet.de] 
Sent: Tuesday, April 05, 2005 3:22 PM
To: Vandy Hamidi; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Central Authentication (Tacacs+ / Radius) 

I'm migrating from ACS to FreeRADIUS as central AAA solution. 
>From some years running ACS (2.6 - 3.1 on W2k): it lacks of *reliable*
SQL-accounting and stability when reaching some hundred concurrent users
and has limited flexibility when you try to centralize all AAA
(Dialup,xDSL,Device/Admin-auth etc.)
The plus for ACS is the working and well documented frontend and quite
simple usage, the minus stability (i.e. when relying on acct for
billing) some security flaws "by design" (i.e. you cannot use SecurID
for auth against the ACS frontend itself which opens a big hole),
limited delegation of admin-rights to other admins..

There are still some dozens IOS-versions out where i.e. TAC+ failover
doesn't work at all or only occassionally going as far as locking you
out of the box when the primary is down; I never had failover-troubles
on IOS using radius. 

But when you need things like command authorization or have a smaller
set of devices to do simple AAA only for administrative reasons, you'll
be easier and probably better off with ACS and TAC+

Michael


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vandy Hamidi
> Sent: Monday, April 04, 2005 10:33 PM
> To: cisco-nsp at puck.nether.net
> Cc: David Devanna
> Subject: [c-nsp] Central Authentication (Tacacs+ / Radius) 
> 
> I'm looking to (finally) implement a central AAA server.
> I'm not looking to integrate with AD/LDAP, just a local DB on 
> a central
> server.  Just a simple Authen, Author, and Accounting server 
> for tiered
> access and logging capabilities.
> 
> In the past I've used CiscoSecure Tacacs+ server and it worked quite
> well.
> I was planning on using it again, but wanted to see if the group could
> recommend a newer (CS is from 2002 I believe) AAA server.
> 
> Please share your experiences and recommendations, I would appreciate
> hearing what others use or don't use and why.
> 
> 	-=Vandy=-
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 




More information about the cisco-nsp mailing list