[c-nsp] TACACS / RADIUS - Single Sign On

Saku Ytti saku+cisco-nsp at ytti.fi
Mon Nov 27 00:21:11 EST 2006


On (2006-11-26 18:56 -0500), Chris Allermann wrote:

> For the last couple of months I have been running the tac_plus daemon (
> http://www.networkforums.net/) to provide AAA services for my engineers and
> field techs.  Other than a few minor glitches with some non-cisco gear that
> had problems talking TACACS+ things have been running great.  Recently
> however I have had to deploy some new gear that only supports radius.
> 
> I'm just curious to see what others are doing in such a situation.  I'd

If you truly want single-signon, that is all your windows, nix, cisco,
webpages, email and whatnot use single password, I'd dare saying that
absolutely easiest way is to configure all of them to authenticate against
AD. You can configure eg. radiator (commercial, but dirty cheap
radius+tacacs+whanot server) to do it.

Then matter of deactivating user in your network is removing user
from AD. Or if you want to verify which services any given user can use,
you just check it from AD.

-- 
  ++ytti


More information about the cisco-nsp mailing list