1. Home
  2. Cisco Systems
  3. AAA without TACACS+ ??

AAA without TACACS+ ??

Hi all,

I'm looking for a solution to grant login into routers/switches using the active directory logon name. This to have a sort of single-sign-on.

Looking around I've found that all it's possible using Radius, obviously, but loosing the availability to log all commands written in the CLI. The only technology can do it, as I know, is tacacs+ that is a really old protocol and not integrated in any way with kerberos...

Which is your solution? Have u an hint how to solve this thing? I've to manage about 1,000 routers/switches...

Thanks Stefano

Reply to
Ste
Loading thread data ...

Cisco Secure ACS supports A/D authentication. It would pass the creds from the network device to the TACACs server, which then authenticates directly with the domain. Is that what you are asking?

Reply to
Trendkill

You can use RADIUS :

Freeradius for Linux ( you will need to add Kerberos or LDAP support ) IAS for Windows 2000 & 2003 server.

IAS: Standard edition : only 50 NAS ( i.e 50 routers ) Enterprise Edition ( no limit of devices )

From my point of view, if you want to manage 1000 devices, Cisco ACS is the easiest choice.

Regards.

Reply to
j4v1v1

His concern is the loss of CLI command authorization and accounting.

Best Regards, News Reader

Reply to
News Reader

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.