> Let's simplify it, > I have cisco devices we authenticate locally on each device. > We want to centralize the AAA on a server, so I though to > install a tac-plus or a freeradius on a linux box, <snip>
You can do (almost) everything you want by using the IAS (Internet Authentication Service - the badly named RADIUS server) that is included with your Windows servers. You can create groups; set up those groups so that different authentication parameters are returned; set up command group with different "enable" levels on the devices and have your different levels of authorisation. It isn't the simplest setup but I have done it before and it works fine. It avoids having to have another server in the mix; it is free (which is good for most people); and if you want redundancy you can simply set up IAS on multiple AD servers and point your devices to them as you see fit. The only downside is you can't do per-command authorisation because RADIUS doesn't support that. B. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
