We've only got a handful of folks accessing certain devices, and the
permissions are relatively static. Nothing fancy going on here.
After some tinkering I've been able to get them talking with ACS. The only
issue I'm running up against is that if the external DB fails out, I'm
unable to
Something like:
aaa authentication login default group tacacs+ *enable*
aaa authentication enable default group tacacs+ *enable*
And set your enable secret; if TACACS+ is unavailable then you can login
with whatever username you like but using the enable secret as your password
and enable
yeah, sorry, I might not have been as specific as I needed to be with that.
I do fail back to local auth when TACACS fails, but of course if the backend
DB I'm configured for in the appliance fails, TACACS is still considered
up, so it will never revert to local auth unless I physically unplug
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Ryan Lambert
Sent: lunedì 1 marzo 2010 17.48
To: Saxon Jones
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] SecureACS Appliance AD Authentication
yeah, sorry, I
-boun...@puck.nether.net] On Behalf Of Ryan Lambert
Sent: lunedì 1 marzo 2010 17.48
To: Saxon Jones
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] SecureACS Appliance AD Authentication
yeah, sorry, I might not have been as specific as I needed to be with
that.
I do fail back to local
Hi everyone,
Figure this is as good a place as any to reach out and see if anyone has
some experience with this.
I'm currently debating whether I use LDAP or a Remote Agent for Windows with
my SecureACS Appliance to authenticate network users via AD. I've read
through the documentation a bit,
Yes Ryan, you can restrict access based on LDAP or AD groups to
specific groups of devices and access levels, however, I would
STRONGLY recommend the direct LDAP approach, using LDAPS with
certificates, as opposed to the AD plugin, which has been rife with
memory leaks and other stability
Personally i'd go for freeradius or radiator RADIUS server for the backend
policy/logic - both work well with AD and handle many EAP types . Proxying etc
--- original message ---
From: Ryan Lambert thirdfrl@gmail.com
Subject: [c-nsp] SecureACS Appliance AD Authentication
Date: 26th
Authentication
Personally i'd go for freeradius or radiator RADIUS server for the backend
policy/logic - both work well with AD and handle many EAP types . Proxying
etc
--- original message ---
From: Ryan Lambert thirdfrl@gmail.com
Subject: [c-nsp] SecureACS Appliance AD Authentication
Date: 26th