[c-nsp] tacac+ server info

Michael Markstaller mm at elabnet.de
Tue May 24 03:52:19 EDT 2005 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vince Hoffman
> Sent: Monday, May 23, 2005 8:34 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] tacac+ server info
> 
> Hi all,
>  	we're looking to change from radius to tacacs plus so 
> we can use 
> the greater granularity and logging. Ive looked around for 
> servers and 
> have come up with this shortlist:

My tests & findings are 2-3 years old, but I ended up to using RADIUS instead of TAC+ for admin-AAA.. 
TAC+ is broken (source-interface) in some 12.2/12.2T releases and I didn't wanted to change IOS to use TAC+, but this is most likely fixed in recent code..
regarding failover, used with Cisco ACS I had some *very* bad experiences; the worst one: regularly not being able to login at all, not even with the enable on the console (!) when the primary is down although the secondary is reachable, asking for user and passcode.. I had to plug the cable from the secondary ACS to gain access to routers! I'd really advise you to test this anyway..

I don't see why TAC+ should be more granular and have better logging besides one thing: command authorization. Anything else should be possible with radius too..

If your stick with TAC+ and don't expect very high load and an easy to setup and administer solution, Cisco ACS might be the best choice, just grab a script restarting it daily - this solves most problems..
The TAC+ that comes from RSA with ACE 5.2 hasn't done anything usable for me on Windows.

If not, I'd still prefer RADIUS, ther're quite some products out there and ACE supports it with the built-in radius quite hassle-free. as the ACE-radius is very limited in features, I'd put something in front of it; 
we're using freeradius with proxy-to-realm for Admin-AAA while still being able to have "normal" non-token users for non-administrative logins like dialup etc. consolidating and centralizing all AAA.
But, freeradius might be more complex to setup and administer, if you're beyond this point you get a *very* flexible solution running 100% stable.. There's also a very helpful mailing-list for it.


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vince Hoffman
> Sent: Monday, May 23, 2005 8:34 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] tacac+ server info
> 
> Hi all,
>  	we're looking to change from radius to tacacs plus so 
> we can use 
> the greater granularity and logging. Ive looked around for 
> servers and 
> have come up with this shortlist:
> 
> ftp://ftpeng.cisco.com/pub/tacacs/tac_plus.F4.0.4.alpha.tar.Z
> http://www.gazi.edu.tr/tacacs/
> http://tacppd.org/
> ftp://ftp.shrubbery.net/pub/tac_plus/
> http://www.mirrors.wiretapped.net/security/authentication/taca
> cs/tac+ia/
> 
> My question is, has anyone had any good or bad experiences 
> with any of 
> these? Also we are currently using RSA secureID tokens and would like 
> to keep using them. anyoneone using this combination?  while I have 
> found reference to proxy authentication off a radius server, it seems 
> somewhat cumbersome.

see above, we do the same and it really works fine.. indeed I've split up Authetication to the ACE-radius and Authorization & Accounting to the proxy running freeradius..


Michael

More information about the cisco-nsp mailing list