[c-nsp] Central Authentication (Tacacs+ / Radius)

Scott A. Keoseyan skeoseyan at btspartners.com
Tue Apr 5 19:42:20 EDT 2005 

Michael,

I see that you've had great experiences using RADIUS on IOS with 
failover.  Can you share some of the tuning parameters you use to for 
failover... server-timeouts, retries, and such?

I have noted that IOS with RADIUS, in the application I am using it for, 
seems to retry the failed server on each new instance or session despite 
having marked the server dead in the prior instance.  I am wondering if 
this is an IOS issue I have run into, or if it is normal behavior.

If it is the latter, I'd be interested in making the failover process a 
little quicker and smoother.

thanks,

Scott


Michael Markstaller wrote:
> I'm migrating from ACS to FreeRADIUS as central AAA solution. 
>>From some years running ACS (2.6 - 3.1 on W2k): it lacks of *reliable* SQL-accounting and stability when reaching some hundred concurrent users and has limited flexibility when you try to centralize all AAA (Dialup,xDSL,Device/Admin-auth etc.)
> The plus for ACS is the working and well documented frontend and quite simple usage, the minus stability (i.e. when relying on acct for billing) some security flaws "by design" (i.e. you cannot use SecurID for auth against the ACS frontend itself which opens a big hole), limited delegation of admin-rights to other admins..
> 
> There are still some dozens IOS-versions out where i.e. TAC+ failover doesn't work at all or only occassionally going as far as locking you out of the box when the primary is down; I never had failover-troubles on IOS using radius. 
> 
> But when you need things like command authorization or have a smaller set of devices to do simple AAA only for administrative reasons, you'll be easier and probably better off with ACS and TAC+
> 
> Michael
> 
> 
> 
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net 
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vandy Hamidi
>>Sent: Monday, April 04, 2005 10:33 PM
>>To: cisco-nsp at puck.nether.net
>>Cc: David Devanna
>>Subject: [c-nsp] Central Authentication (Tacacs+ / Radius) 
>>
>>I'm looking to (finally) implement a central AAA server.
>>I'm not looking to integrate with AD/LDAP, just a local DB on 
>>a central
>>server.  Just a simple Authen, Author, and Accounting server 
>>for tiered
>>access and logging capabilities.
>>
>>In the past I've used CiscoSecure Tacacs+ server and it worked quite
>>well.
>>I was planning on using it again, but wanted to see if the group could
>>recommend a newer (CS is from 2002 I believe) AAA server.
>>
>>Please share your experiences and recommendations, I would appreciate
>>hearing what others use or don't use and why.
>>
>>	-=Vandy=-
>>
>>
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 
Scott A. Keoseyan

More information about the cisco-nsp mailing list