Comments inserted.
----- Original Message -----
From: Brad Beck <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 01, 2000 9:00 PM
Subject: line/enable authentication via radius/TACACS+???
> Hi everybody,
>
> It seems to me that many medium/large networks tend to use radius or
tacacs
> for router line authentication. I could be wrong about this, so please
> correct me if so. I'd like to know how a few things are handled in this
> type of envrionment:
>
> - What is the main driver in using radius/tacacs+ for line(telnet)
> authentication? Is it for accounting purposes? Is it to prevent the
> problems involved with local line passwords such as password changes?
-------------
Telnet access is usually used to prevent unauthorized access to the
router/switch. Often, nobody but the senior network engineers will get
access to the internetworking equipment consoles.
-----------
>
> - From some of my CCO readings, I've learned that AAA can be configured so
> that, if radius/tacacs+ authentication is configured for a line, and the
> user authenticaion fails(wrong password/username) the enable password will
> allow a user router access. Considering this, what's to prevent a user
> from simply pressing return a couple times then entering the enable
> password in order to bypass the sername/password requirement?
Both Radius and Tacacs+ are configured so they only accept the configured
access. Typically the authentication servers will have something like
Tacacs/Local to allow the routers local username/passwords database to be
used in the event the Tacacs server is unavailable. Authentication methods
are parsed in the order they appear in the command. If there is a 'deny' by
any method the authentication process stops...period and nothing will cause
it to move to the next method prematurely.
----------
>
> - What if the authentication server is inaccessible? ie. Part(s) of the
> network are down.
If you have other authentication methods configured in your AAA command,
they will be used. Otherwise you are SOL.
--------
>
> - Related to the previous question, how many authentication servers are
> commonly deployed in a given network?
One Radius/Tacacs server can handle thousands of users. However, I would
suggest using more than one server with more than 100 remote access users
for redundancy sake. You don't want to find yourself typing hundreds of
username/password combos into a NAS servers local database after your AAA
server takes a dive!
--------
>
> - Finally, do Network/Ops divisions generally run their own authentication
> servers, or are existing user databases shared(ie email, etc)?
Typically the NT user database or the Novell NDS database would be used in
authenticating a sizeable network. That said, you probably wouldn't want
users having to get authenticated on servers over WAN lines if possible,
unless the remote site was too small to justify spending
25K on a nice CiscoSecure ACS server and a decent NAS server!
--------
>
> Basically I'm trying to understand real-world implementations of this, and
> I'm finding it hard to do from documentation alone.
>
> THANKS A LOT!
>
> ps. I'd like to say thanks to this list for what I've learned over the
> past several months by mostly lurking. I just recently passed BCMSN with
a
> 945, and a few months ago CCNA with a 925. Really, thanks.
>
>
> -brad
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
