Prev: Cisco 827H
Next: CiscoWorks LMS 3.0 Installation
From: Ste on 17 Apr 2008 08:44
Hi all,

I'm looking for a solution to grant login into routers/switches using
the active directory logon name. This to have a sort of single-sign-on.

Looking around I've found that all it's possible using Radius,
obviously, but loosing the availability to log all commands written in
the CLI. The only technology can do it, as I know, is tacacs+ that is a
really old protocol and not integrated in any way with kerberos...

Which is your solution? Have u an hint how to solve this thing? I've to
manage about 1,000 routers/switches...

Thanks
Stefano
From: Trendkill on 17 Apr 2008 09:20
On Apr 17, 8:44 am, Ste <s...(a)i.net.it> wrote:
> Hi all,
>
> I'm looking for a solution to grant login into routers/switches using
> the active directory logon name. This to have a sort of single-sign-on.
>
> Looking around I've found that all it's possible using Radius,
> obviously, but loosing the availability to log all commands written in
> the CLI. The only technology can do it, as I know, is tacacs+ that is a
> really old protocol and not integrated in any way with kerberos...
>
> Which is your solution? Have u an hint how to solve this thing? I've to
> manage about 1,000 routers/switches...
>
> Thanks
> Stefano

Cisco Secure ACS supports A/D authentication. It would pass the creds
from the network device to the TACACs server, which then authenticates
directly with the domain. Is that what you are asking?
From: j4v1v1 on 17 Apr 2008 13:31
On Apr 17, 3:20 pm, Trendkill <jpma...(a)gmail.com> wrote:
> On Apr 17, 8:44 am, Ste <s...(a)i.net.it> wrote:
>
> > Hi all,
>
> > I'm looking for a solution to grant login into routers/switches using
> > the active directory logon name. This to have a sort of single-sign-on.
>
> > Looking around I've found that all it's possible using Radius,
> > obviously, but loosing the availability to log all commands written in
> > the CLI. The only technology can do it, as I know, is tacacs+ that is a
> > really old protocol and not integrated in any way with kerberos...
>
> > Which is your solution? Have u an hint how to solve this thing? I've to
> > manage about 1,000 routers/switches...
>
> > Thanks
> > Stefano
>
> Cisco Secure ACS supports A/D authentication. It would pass the creds
> from the network device to the TACACs server, which then authenticates
> directly with the domain. Is that what you are asking?

You can use RADIUS :

Freeradius for Linux ( you will need to add Kerberos or LDAP support )
IAS for Windows 2000 & 2003 server.

IAS:
Standard edition : only 50 NAS ( i.e 50 routers )
Enterprise Edition ( no limit of devices )

From my point of view, if you want to manage 1000 devices, Cisco ACS
is the easiest choice.

Regards.
From: News Reader on 17 Apr 2008 13:57
j4v1v1 wrote:
> On Apr 17, 3:20 pm, Trendkill <jpma...(a)gmail.com> wrote:
>> On Apr 17, 8:44 am, Ste <s...(a)i.net.it> wrote:
>>
>>> Hi all,
>>> I'm looking for a solution to grant login into routers/switches using
>>> the active directory logon name. This to have a sort of single-sign-on.
>>> Looking around I've found that all it's possible using Radius,
>>> obviously, but loosing the availability to log all commands written in
>>> the CLI. The only technology can do it, as I know, is tacacs+ that is a

His concern is the loss of CLI command authorization and accounting.

>>> really old protocol and not integrated in any way with kerberos...
>>> Which is your solution? Have u an hint how to solve this thing? I've to
>>> manage about 1,000 routers/switches...
>>> Thanks
>>> Stefano
>> Cisco Secure ACS supports A/D authentication. It would pass the creds
>> from the network device to the TACACs server, which then authenticates
>> directly with the domain. Is that what you are asking?
>
> You can use RADIUS :
>
> Freeradius for Linux ( you will need to add Kerberos or LDAP support )
> IAS for Windows 2000 & 2003 server.
>
> IAS:
> Standard edition : only 50 NAS ( i.e 50 routers )
> Enterprise Edition ( no limit of devices )
>
> From my point of view, if you want to manage 1000 devices, Cisco ACS
> is the easiest choice.
>
> Regards.

Best Regards,
News Reader
 | 
Pages: 1
Prev: Cisco 827H
Next: CiscoWorks LMS 3.0 Installation