[c-nsp] TACACS / RADIUS - Single Sign On

[Chris Allermann]

For the last couple of months I have been running the tac_plus daemon (
http://www.networkforums.net/) to provide AAA services for my engineers and
field techs.  Other than a few minor glitches with some non-cisco gear that
had problems talking TACACS+ things have been running great.  Recently
however I have had to deploy some new gear that only supports radius.

I'm just curious to see what others are doing in such a situation.  I'd
rather not reinvent the wheel if I don't have to.  I know the easy option
would be to setup a radius daemon and maintain two sets of login credentials
for my users but I am trying to avoid that scenario if at all possible.
What I am really interested in is to see if anybody has rolled TACACS/Radius
into some sort of single sign on initiative.

My initial vision was some sort of LDAP or SQL back end that talked to the
radius and tacacs daemons.  This architecture could then been expanded and
used for authentication for corporate e-mail, access to proprietary systems,
etc...  Again, not trying to reinvent the wheel, just seeing if anybody has
implemented such a system or has worked with a commercial alternative.

Any suggestions or comments would be appreciated.