[cisco-voip] OT Radius authentication with a 2800 router

Scott Voll svoll.voip at gmail.com
Tue Jan 4 10:54:48 EST 2011 

Agreed.  Before we went to Radius, any time someone left the company we had
to updated the router / switch passwords.  What a pain.  even if you have
something that will go out and auto update the passwords, you then have to
update the auto update program.  Still a pain in my book.

Radius with a user, with Limited permissions is the way to go.

Scott

On Tue, Jan 4, 2011 at 7:25 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

> And you can easily disable the account and enable it when required (if
> 24hr/7day/wk access is not required). If you had to create a local account
> on each router and a security issue arose, bad news.
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
> (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Cooking with unix is easy. You just sed it and forget it.
>                               - LFJ (with apologies to Mr. Popeil)
>
>
> ------------------------------
> *From: *"Go0se" <me at go0se.com>
> *To: *"Jason Aarons (US)" <jason.aarons at us.didata.com>, "Mike King" <
> me at mpking.com>, "Cisco VoIPoE List" <cisco-voip at puck.nether.net>
> *Sent: *Tuesday, January 4, 2011 10:23:01 AM
>
> *Subject: *Re: [cisco-voip] OT Radius authentication with a 2800 router
>
> I don't know how many routers you would have to touch but even if there
> were
> a solution it would be a pain to have to go touch each one. Simply create a
> generic AD account and if they are worried about network/workstation access
> don't give the account logon rights on your domain. It will still be able
> to
> log into your network devices.
>
> Thanks,
>
> Go0se
>
> My blog:
> http://atc.go0se.com
>
> --------------------------------------------
> Help Hopegivers International
> Feed the orphans of Haiti and India
> http://www.hopegivers.org
> --------------------------------------------
>
> -----Original Message-----
> From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Jason Aarons (US)
> Sent: Monday, January 03, 2011 7:03 PM
> To: Mike King; Cisco VoIPoE List
> Subject: Re: [cisco-voip] OT Radius authentication with a 2800 router
>
> Correct, you need to add them to AD. The fallback method is local usually.
>
> -----Original Message-----
> From: cisco-voip-bounces at puck.nether.net
> [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Mike King
> Sent: Monday, January 03, 2011 11:03 AM
> To: Cisco VoIPoE List
> Subject: [cisco-voip] OT Radius authentication with a 2800 router
>
> Sorry for the slightly off topic question.
>
> We've been using Radius authentication with our 2800 routers for a while,
> but I've been handed an interesting directive.
>
> We have a third party that will need access to our 2800 routers.  I've been
> asked to make a local account on the 2800's, as management does not want to
> added them to the directory (Active Directory)  We're using Microsoft NPS
> (IAS for Server 2008) as a radius backend.
>
> Unfortunately, it's been my experience, when you enable RADIUS, you cannot
> login with local accounts unless the RADIUS server does not respond.
>
> Am I missing an easy way to do this?
>
> Mike
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
> -----------------------------------------
> Disclaimer:
>
> This e-mail communication and any attachments may contain confidential and
> privileged information and is for use by the designated addressee(s) named
> above only.  If you are not the intended addressee, you are hereby notified
> that you have received this communication in error and that any use or
> reproduction of this email or its contents is strictly prohibited and may
> be
> unlawful.  If you have received this communication in error, please notify
> us immediately by replying to this message and deleting it from your
> computer. Thank you.
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20110104/7897df98/attachment.html>

More information about the cisco-voip mailing list