On Sat, 2 Nov 2002, Router Man wrote: > > Does RADIUS, S/Key, and TACACS+ encrpt the data between my PC and the > > router, or does it just encrypt the login iformation between the router > and > > the ACS server? I need to protect my sessions end to end. Any advise
A few other things. Just so you know: RADIUS, S/Key, and TACACS all encrypt the login/pass from the router to the central authentication server. If you only have a few routers and switches most people will just use local usernames and passwords on the routers because its easier to setup initially. If you really want to do it the right way or have lots of devices I recommend a central authentication system like the above. You can audit the system via syslog or the protocols like RADIUS and TACACS support their own form of auditing/accounting. I personally perfer RADIUS because it is not proprietary, I grew up using it (I'm familiar with it), and all of my terminal servers and workstations support it (plus I wrote my own RADIUS server several years ago). Radius is good because Windows2K/XP supports it, OS-X supports it, and *nix supports it. So you can have one central login server for your entire network and it can also perform accounting for the entire network but that is another deal. TACACS was originally mostly a Cisco thing (If I remember correctly, they developed it to compete with and extend Livingston's RADIUS protocol. I'm not sure what other vendors support it now) and while providing great support and tons of abilities in Cisco devices, it is not as widely supported by the other networking vendors as RADIUS is. Radius has pretty much become the defacto standard for authorization via multiple platforms though TACACS may replace it in the future. Remember the login/password is still sent unencrypted to the router/switch regardless of the authentication method used. That is why SSH or IPSec is recommend for management of your devices. The ideal thing is a seperate management network but not everyone can do that. I personally recommend SSH because you can carry a program like PuTTY around on a floppy and manage your device securely from any Windows machine by just running PuTTY from the floppy. IPSec takes some configuration on the management workstation and is usually used when you have a fixed workstation you use for management. Later, Andrew --- http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate "Learn from the mistakes of others. You won't live long enough to make all of them yourself." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56747&t=56721 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
