To your first question: You can give every user in Radius it's own priv-level. You can configure your Cisco that CLI access is only allowed with a priv-level x and higher. This would be the same like Tacacs. -- Thoralf Freitag Manager Health Services System Administration Phone: +49 (0) 30 68905-4611 Cellular:+49 (0) 151 1631-4611 Fax: +49 (0) 30 68905-2940 Mail: Thoralf.Freitag@biotronik.com *** Sent via Blackberry. *** http://www.biotronik.com ********************************************************************************* BIOTRONIK GmbH & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementaerin: BIOTRONIK Mess- und Therapiegeraete GmbH Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 2918 Geschaeftsfuehrer: Dr. Max Schaldach, Christoph Boehmer, Dr. Werner Braun, Dr. Lothar Krings ********************************************************************************* This email and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this email, please notify the sender immediately. ----- Originalnachricht ----- Von: Norbert Wegener [norbert.wegener@siemens.com] Gesendet: 14.02.2009 12:05 CET An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: Migration from TACACS+ to RADIUS Alan DeKok schrieb:
Nicholas R. Cappelletti wrote:
In the recent weeks, I have come across some downfalls to using TACACS+ such as no 802.1x authentication, no WPA integration, and the impossible integration into both Kerberos and LDAP.
I hate to sound naive, but like many who need help, I'm new to RADIUS, its configuration, and its capabilities. With that said, I have a few questions concerning functionality that I had with TACACS+ and its equivalence in RADIUS.
1. How granular can I get with command authorization? Currently, TACACS+ is used for VPN authentication and device login, but not all those users should, or need, access to the CLI of the network equipment (We use both Cisco and HP devices). Eventually I would like to use the RADIUS setup for wireless authentication too.
The hope is that we can add TACACS+ support to FreeRADIUS in a future version. That will help with migration.
Can this be expected in the foreseeable future? Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html