|
Posted by News Reader on April 17, 2008, 1:57 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>>
>>> Hi all,
>>> I'm looking for a solution to grant login into routers/switches using
>>> the active directory logon name. This to have a sort of single-sign-on.
>>> Looking around I've found that all it's possible using Radius,
>>> obviously, but loosing the availability to log all commands written in
>>> the CLI. The only technology can do it, as I know, is tacacs+ that is a
His concern is the loss of CLI command authorization and accounting.
>>> really old protocol and not integrated in any way with kerberos...
>>> Which is your solution? Have u an hint how to solve this thing? I've to
>>> manage about 1,000 routers/switches...
>>> Thanks
>>> Stefano
>> Cisco Secure ACS supports A/D authentication. It would pass the creds
>> from the network device to the TACACs server, which then authenticates
>> directly with the domain. Is that what you are asking?
>
> You can use RADIUS :
>
> Freeradius for Linux ( you will need to add Kerberos or LDAP support )
> IAS for Windows 2000 & 2003 server.
>
> IAS:
> Standard edition : only 50 NAS ( i.e 50 routers )
> Enterprise Edition ( no limit of devices )
>
> From my point of view, if you want to manage 1000 devices, Cisco ACS
> is the easiest choice.
>
> Regards.
Best Regards,
News Reader
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map