[c-nsp] TACACS/RADUIS/AD

Brett Looney brett at looney.id.au
Sun Aug 9 19:27:47 EDT 2009


> Let's simplify it,
> I have cisco devices we authenticate locally on each device.
> We want to centralize the AAA on a server, so I though to
> install a tac-plus or a freeradius on a linux box,
<snip>

You can do (almost) everything you want by using the IAS (Internet
Authentication Service - the badly named RADIUS server) that is included
with your Windows servers. You can create groups; set up those groups so
that different authentication parameters are returned; set up command group
with different "enable" levels on the devices and have your different levels
of authorisation.

It isn't the simplest setup but I have done it before and it works fine. It
avoids having to have another server in the mix; it is free (which is good
for most people); and if you want redundancy you can simply set up IAS on
multiple AD servers and point your devices to them as you see fit.

The only downside is you can't do per-command authorisation because RADIUS
doesn't support that.

B.



More information about the cisco-nsp mailing list