Migration from TACACS+ to RADIUS

[Nicholas R. Cappelletti]

In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.

I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities.  With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.

1. How granular can I get with command authorization?  Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices).  Eventually I would like to use the RADIUS setup for wireless authentication too.

>From what I've read, setting "Service-Type = NAS-Prompt-User" will give the user the ability to login to the device, but how do I restrict them from enabling themselves?

With the RADIUS setup I have currently, it's using Kerberos for authentication, and LDAP for authorization.

2. Can I set, for a user, a separate enable password?

3. With TACACS+ I have the ability to set a MOTD per device in the configuration, and modify that if need be from the TACACS+ configuration.  Is there similar functionality in RADIUS?

4. Am I able to do any command accounting with Cisco equipment?  I understand it is not possible with the ASA firewall line, but I haven't found a definitive answer about the router IOS images.

If any one of these questions are answered, it will be greatly appreciated.  Thank you for your time and any help you can offer me in advance. :)

---

Nick
nick at switchtower.org