[c-nsp] Deploying RADIUS for user logins ?
kevin gannon
kevin at gannons.net
Thu Mar 6 07:37:47 EST 2008
Thanks a lot for all the input RANCID seems to be the way to
go. Thanks for the template config I will look again at TACACS+.
Thanks & Regards
Kevin
On Mon, Mar 3, 2008 at 5:30 PM, Peter Rathlev <peter at rathlev.dk> wrote:
> On Mon, 2008-03-03 at 10:18 -0600, Justin Shore wrote:
> > Assuming you're going to do TACACS+ (RADIUS would be similar) here's a
> > working AAA config:
> <snip>
>
> Very nice example. I've been looking for exactly something like this for
> a while. Thanks for sharing. :-)
>
>
> > You should also come up with a method of generating TACACS keys. You
> > could use 1 key per POP or 1 key for the entire network. Personally I
> > use a unique key per device. It's probably overkill but it works for
> > me. I use a unique strings taken from each device (process board ID for
> > example), stick it in a text file, and then perform a md5sum on that
> > file. The resulting 32 character string of random characters makes for
> > a nice key. It's also reproducible in a pinch.
>
> Just a small note: Make sure not to use information that other people
> can see easily(-ish). Often e.g. the base MAC is printed on the outside
> of switches, and the MD5 hashing would only protect from network
> eavesdropping. But protecting the AAA-server is a requirement
> anyway. :-)
>
> Regards,
> Peter
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list