Hi!
TACACS+ is a good solution. Some considerations and suggestions:
Suggest having individual usernames/passwords for the each user. Setting up
telnet and console to access to devices authenticating via the TACACS
server. Then configure a local account that is available if the device can
not access the TACACS server. I would suggest to have a seperate database
not to pull usernames and passwords from a domain database. Setting up
usernames and passwords allow you to do it to one place (TACACS server) to
affect many devices. Setting up users allow you to track what was done when
via logs. Now the logs is a different maintenance issue. Who is going to be
checking them, are you going to have them dump into a database in order to
view the data in a timely manner???? I know Cisco Secure does not out of the
box dump its log files to a database. That would be something that you would
have to automate. How many TACACS servers to have be geographical about it,
last thing you want to do is secure yourself to a point of waiting to gain
telnet to a down line or interface. With that you probably want to have
these databases exchange info as you see fit. How are you going to backup
these servers? Important to note any legacy devices might not provide the
full functionality of the AAA TACACS server. Some cases it only
authenticates, which might be enough something to keep in mind.
Lastly is the level of security for authenticating users in the managing
group. If you go with a TACACS solution like Cisco's Cisco Secure database
passwords are static. If you look at dynamic solution with key fobes ex.
SecureID gives you a better chance of preventing password sniffing.
Good Luck!
Ken
----- Original Message -----
From: Tim Lovelace <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 05, 2001 3:02 PM
Subject: When to implement TACACS+
> I am in the process of implementing a quit large frame relay network. In
the
> end it will be 300+ remote nodes. I have been looking at TACACS+ as a
means
> to make sure that the passwords are the same on all equipment as there
will
> be one small group managing the entire thing. There will also be several
> access servers. My question, is TACACS+ the ideal way to come about this?
It
> seems to me that it is by what Cisco describes TACACS for. If anyone has
any
> helpful information on the subject I would appreciate it. What are some
> considerations I should look at before implementing it? Thanks
>
> Tim
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
