[c-nsp] Deploying RADIUS for user logins ?

kevin gannon kevin at gannons.net
Thu Mar 6 07:37:47 EST 2008


Thanks a lot for all the input RANCID seems to be the way to
go. Thanks for the template config I will look again at TACACS+.

Thanks & Regards
Kevin

On Mon, Mar 3, 2008 at 5:30 PM, Peter Rathlev <peter at rathlev.dk> wrote:
> On Mon, 2008-03-03 at 10:18 -0600, Justin Shore wrote:
>  > Assuming you're going to do TACACS+ (RADIUS would be similar) here's a
>  > working AAA config:
>  <snip>
>
>  Very nice example. I've been looking for exactly something like this for
>  a while. Thanks for sharing. :-)
>
>
>  > You should also come up with a method of generating TACACS keys.  You
>  > could use 1 key per POP or 1 key for the entire network.  Personally I
>  > use a unique key per device.  It's probably overkill but it works for
>  > me.  I use a unique strings taken from each device (process board ID for
>  > example), stick it in a text file, and then perform a md5sum on that
>  > file.  The resulting 32 character string of random characters makes for
>  > a nice key.  It's also reproducible in a pinch.
>
>  Just a small note: Make sure not to use information that other people
>  can see easily(-ish). Often e.g. the base MAC is printed on the outside
>  of switches, and the MD5 hashing would only protect from network
>  eavesdropping. But protecting the AAA-server is a requirement
>  anyway. :-)
>
>  Regards,
>  Peter
>
>
>
>
>  _______________________________________________
>  cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  https://puck.nether.net/mailman/listinfo/cisco-nsp
>  archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list