TACACS alternatives? I want a users authorization to dynamically to correspond to "logged into device" with out creating multiple user accounts for each device.

I'm in the process of planning/deploying a large scale AAA TACACS+ system.  Due to the scale of the project, routers are administered by different NetAdmins. I would like to create users that could log into "their" routers with level 15 authorization, and other routers with a lower level.

The only way I see to do this is have multiple TACACS+ servers, that is, one in each administrative domain with the approprite level of access. As I have many andministrative domains this would, double the TACACS server deployment.



Any suggestions?

ldel8481Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Tim HolmanConnect With a Mentor Commented:
You could do this with a single CiscoSecure ACS server - no reason for multiple ones ?
Give each user higher privilege for certain NASs, and lower ones for the rest ?
0
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You could also use VMware... espically if all these servers will do is tacacs auth... it's not very resource intensive. Get 2 seperate servers running 2 or more VMware instances, and you've got 4 or more Virtual Servers, plus the two running the vmware... so 6 total, if each of the two servers ran M$, plus 2 instances of VM. VM does require lot's of ram, but from experence, 1 gig of ram, on a dual piii 733 is more than enough for the OS (M$-2003) and 2 vmware tacacs instances(also 2003). They can all share the same nic, or you can add more nics.
http://www.vmware.com/
I'm not sure about M$ virtual PC... but you could evaluate it
http://www.microsoft.com/windows/virtualpc/default.mspx
The VM software should be much cheaper than server hardware... and they work reliably!
-rich
0
 
mzgolaConnect With a Mentor Commented:
Just go with tacacs link your tacacs to AD, then setup different permission to access your routers, and firewalls for different administrators. You could only have one tacacs server, but if you gonna keep it on one of your local networks make sure you change your firewall setting to enable TCP port ??? (you have to looke this up)

and you should be good to go.
0
 
Rich RumbleSecurity SamuraiCommented:
It's unfortuneate, but it is correct that for your goals, you need seperate Tacacs instances. I feel that VM is a cost effective, reliable and efficiant solution.
-rich
0
 
Tim HolmanCommented:
Any feedback from the question author ?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.