Hi, > Look at TACACS/TACACS+. Most devices support this. You will need a > TACACS server which authenticates off a RADIUS server. > > For others is upto the software to implement a TACACS or direct RADIUS. >
Most gear supports direct RADIUS just fine. TACACS+ is a proprietary protocol and personally I have had the impression that it's dying a long death. The *only* merit it has is on Cisco devices (Cisco is the inventor of TACACS+): you can configure a feature called "command authorisation" in Cisco gear, so that the device checks back every single command a user enters in an interactive session. It could also be done with a RADIUS attribute, but Cisco decided to explicitly un-implement this single one feature to make TACACS+ superior over RADIUS for that one feature. If you never heard nor care about Cisco's command authorization, RADIUS should be the way to go. Stefan Winter > > > Andres Kaaber wrote: > >> Hello all >> I'm assigned with a project to make a central admin user database for all >> kind >> of servers / devices you can imagine (routers, switches, firewalls, linux >> servers, windows servers, databases, etc.). The point is that when a news >> employee arrives you just make him a user in this database, maybe check >> which >> type of devices he can and all the devices are configured to authenticate >> users >> against this db. We have over 200 switches alone in our company so making >> user >> accounts in every single one of them and when this dude leaves to disable >> all >> of them is huge (or impossible) work. >> So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, >> easy and good solution, or not? There is no problem with servers Linux and >> Windows servers can authenticate against radius. Most popular DB -s can do >> this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches >> and >> roters but as far I found in google there should be no problems the same >> goes >> for juniper devices. >> So what do you think? Or maybe you know a free software solution for this >> kind >> of problem already? Sun identity management is one that i checked out but it >> seems too bloated and complicated. So what are your thoughts? >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html