Request for opinion - central admin user server LDAP+FreeRADIUS
Stefan Winter
stefan.winter at restena.lu
Mon Aug 10 07:42:30 CEST 2009
Hi,
> Look at TACACS/TACACS+. Most devices support this. You will need a
> TACACS server which authenticates off a RADIUS server.
>
> For others is upto the software to implement a TACACS or direct RADIUS.
>
Most gear supports direct RADIUS just fine. TACACS+ is a proprietary
protocol and personally I have had the impression that it's dying a long
death. The *only* merit it has is on Cisco devices (Cisco is the
inventor of TACACS+): you can configure a feature called "command
authorisation" in Cisco gear, so that the device checks back every
single command a user enters in an interactive session. It could also be
done with a RADIUS attribute, but Cisco decided to explicitly
un-implement this single one feature to make TACACS+ superior over
RADIUS for that one feature. If you never heard nor care about Cisco's
command authorization, RADIUS should be the way to go.
Stefan Winter
>
>
> Andres Kaaber wrote:
>
>> Hello all
>> I'm assigned with a project to make a central admin user database for all kind
>> of servers / devices you can imagine (routers, switches, firewalls, linux
>> servers, windows servers, databases, etc.). The point is that when a news
>> employee arrives you just make him a user in this database, maybe check which
>> type of devices he can and all the devices are configured to authenticate users
>> against this db. We have over 200 switches alone in our company so making user
>> accounts in every single one of them and when this dude leaves to disable all
>> of them is huge (or impossible) work.
>> So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick,
>> easy and good solution, or not? There is no problem with servers Linux and
>> Windows servers can authenticate against radius. Most popular DB -s can do
>> this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches and
>> roters but as far I found in google there should be no problems the same goes
>> for juniper devices.
>> So what do you think? Or maybe you know a free software solution for this kind
>> of problem already? Sun identity management is one that i checked out but it
>> seems too bloated and complicated. So what are your thoughts?
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
More information about the Freeradius-Users
mailing list