[c-nsp] Deploying RADIUS for user logins ?

Peter Rathlev peter at rathlev.dk
Mon Mar 3 12:30:03 EST 2008


On Mon, 2008-03-03 at 10:18 -0600, Justin Shore wrote:
> Assuming you're going to do TACACS+ (RADIUS would be similar) here's a 
> working AAA config:
<snip>

Very nice example. I've been looking for exactly something like this for
a while. Thanks for sharing. :-)

> You should also come up with a method of generating TACACS keys.  You 
> could use 1 key per POP or 1 key for the entire network.  Personally I 
> use a unique key per device.  It's probably overkill but it works for 
> me.  I use a unique strings taken from each device (process board ID for 
> example), stick it in a text file, and then perform a md5sum on that 
> file.  The resulting 32 character string of random characters makes for 
> a nice key.  It's also reproducible in a pinch.

Just a small note: Make sure not to use information that other people
can see easily(-ish). Often e.g. the base MAC is printed on the outside
of switches, and the MD5 hashing would only protect from network
eavesdropping. But protecting the AAA-server is a requirement
anyway. :-)

Regards,
Peter




More information about the cisco-nsp mailing list