AAA Best Pratices?

Newsgroup -

We are in the planning stages of implementing AAA on all our of Cisco devices.

Does Cisco have a "best practices" document out there someplace that describes a robust way to do this? (We have two RADIUS servers in geographically diverse locations.)

Thanks!

- Matt

Reply to
Matt White
Loading thread data ...

This doesn't actually answer your question but can help ...

formatting link
BernieM

Reply to
BernieM

formatting link
Thanks, I'll look at that!

Maybe we can just start a discussion here instead... since I've very new to AAA, here's the setup I had in mind -

1.) Disable authentication on the console port. 2.) Create one local user on each device in case the RADIUS services go down. 3.) Enable SSH on as many devices as possible.

Does this seem like a reasonable configuration?

- Matt

Reply to
Matt White

Hello, Matt! You wrote on Fri, 03 Feb 2006 11:00:09 -0500:

MW> Maybe we can just start a discussion here instead... since I've MW> very new to AAA, here's the setup I had in mind -

MW> 1.) Disable authentication on the console port.

Don't disable. Use local account.

MW> 2.) Create one local user on each device in case the RADIUS MW> services go down.

Yep. It's also useful for #1 above. Use secret command so password couldn't be easily decoded.

MW> 3.) Enable SSH on as many devices as possible.

Yep. And disable normal telnet access.

MW> Does this seem like a reasonable configuration?

Also tacacs accounting is very helpful to find out who did what when.

With best regards, Andrey.

Reply to
Andrey Tarasov

Fair enough.

Good, that's what I was planning on doing.

I'll have to look up how to do that. This TACACS accounting better than having the device log back to a remote syslog?

- Matt

Reply to
Matt White

Hello, Matt! You wrote on Fri, 03 Feb 2006 14:23:43 -0500:

??>> Also tacacs accounting is very helpful to find out who did what ??>> when.

MW> I'll have to look up how to do that. This TACACS accounting MW> better than having the device log back to a remote syslog?

It's different :-) TACACS accounting will give you exact information what commands was entered on the device, when, under which account and what IP address connection was established from. Only thing you will get in syslog from Cisco routers and IOS switches is that "configured from ... by ...". Unless there is some new functionality I'm not aware of.

With best regards, Andrey.

Reply to
Andrey Tarasov

Ohh, neat. :)

I'll dig into that. Thanks for the heads-up!

- Matt

Reply to
Matt White

AAA or ACS ? i am actually in ACS team in Cisco TAC..What exactly is your question?

Reply to
SyedCisco

I'm looking for a good example to follow for setting up our Cisco devices to use a RADIUS server for secure access. (Mostly 2620 routers,

2950 switches and 1200 access points.)

I can come up with something that "works", but having a mature example to follow is often very helpful as it'll cover situations that I might not have thought of! :)

- Matt

Reply to
Matt White

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.