[c-nsp] TACACS / RADIUS - Single Sign On

Ebben Aries earies at uci.net
Sun Nov 26 19:31:44 EST 2006


I have had much success using pam (w/ pam_ldap) with tac_plus to support all 
tacacs+ devices and freeradius using the native LDAP plugin for all 
non-tacacs capable devices

As far as privilege levels, etc.  All radius attributes are stored in OpenLDAP 
and all TACACS+ in MySQL with a customized frontend to regenerate the 
tac_plus.cfg file.

Ebben


On Sunday 26 November 2006 3:56 pm, Chris Allermann wrote:
> For the last couple of months I have been running the tac_plus daemon (
> http://www.networkforums.net/) to provide AAA services for my engineers and
> field techs.  Other than a few minor glitches with some non-cisco gear that
> had problems talking TACACS+ things have been running great.  Recently
> however I have had to deploy some new gear that only supports radius.
>
> I'm just curious to see what others are doing in such a situation.  I'd
> rather not reinvent the wheel if I don't have to.  I know the easy option
> would be to setup a radius daemon and maintain two sets of login
> credentials for my users but I am trying to avoid that scenario if at all
> possible. What I am really interested in is to see if anybody has rolled
> TACACS/Radius into some sort of single sign on initiative.
>
> My initial vision was some sort of LDAP or SQL back end that talked to the
> radius and tacacs daemons.  This architecture could then been expanded and
> used for authentication for corporate e-mail, access to proprietary
> systems, etc...  Again, not trying to reinvent the wheel, just seeing if
> anybody has implemented such a system or has worked with a commercial
> alternative.
>
> Any suggestions or comments would be appreciated.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
et


More information about the cisco-nsp mailing list