On 30.01.2017 17:49, Brian Julin wrote:
Personally I think the best policy is not to use remote authentication servers for administrative switch access, we have 400+ LAN switches, and relying on local settings is not an option for every-day operation. We do put a local account into every switch though, in case something goes badly wrong (there have been IOS updates with surprises in the past).
and not to use the same password for administrative access to networking equipment as you do for SSO/AD but that's a matter of opinion and certainly depends on institutional needs. exactly. We used to have one redundant pair of RADIUS servers which we used for both WiFi users and administrative auth. I had separated the passwords using some heuristics to figure out what kind of request was coming in. That was nice for a while, but as our network landscape got more and more heterogenous it turned out to be complicated and error-prone. Finally, we split this up. So I would advise you to go for a separate set of (perhaps virtual) servers for each user auth and admin auth. It also looks like you _could_ use AD directly from Cisco: https://rbgeek.wordpress.com/2013/01/14/authenticate-the-cisco-devices-using... But putting a RADIUS server in between gives you all sorts of control over the auth process, e.g. you could easily change your store of admin passwords later on.
Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg