[c-nsp] TACACS/RADUIS/AD

David Freedman david.freedman at uk.clara.net
Mon Aug 10 06:32:21 EDT 2009 

You can also use RADIATOR radius server
(http://www.open.com.au/radiator/) which is as flexible (if not more
IMHO) as freeradius and has the added benefit of a TACACS+ interface
to routers. It is written in and configured with PERL.

Unfortunately, it costs money (but the sum is trivial for the
functionality AFAIK)

Dave


Ziv Leyes wrote:
> Hi all,
> 
> I'm in need to implement an AAA method other than local for our Cisco devices (routers/switches)
> 
> I was thinking of using the already existing Active Directory, because all people has an account there and a strict secure password policy.
> 
> Also when someone quits, their user is always removed from there but I don't always get notifications about personnel changes so to manage another independent user DB is not good for me.
> 
> At the beginning I was thinking to directly connect the AD servers, but this doesn't give me too much flexibility, I don't manage those servers and I don't want to depend on others regarding the authorizations.
> 
> I was thinking about a server like radius or tacacs that will check only the user authentication against the AD server and perhaps retrieve a value of which group the user belongs to, let's say I only need two or three degrees of authorization, (read-only, operator, and admins). All the rest of the commands authorization granularity will be performed by the radius/tacacs server, based on the user's groups.
> 
> Is this possible to implement? If yes, do you have some ideas, tips, howtos?
> 
> Thanks in advance!
> 
> Regards,
> 
> 
> 
> Ziv
> 
> 
> 
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list