Solved

TACACS alternatives? I want a users authorization to dynamically  to correspond to "logged into device" with out creating multiple user accounts for each device.

Posted on 2004-08-16
7
337 Views
Last Modified: 2006-11-17
I'm in the process of planning/deploying a large scale AAA TACACS+ system.  Due to the scale of the project, routers are administered by different NetAdmins. I would like to create users that could log into "their" routers with level 15 authorization, and other routers with a lower level.

The only way I see to do this is have multiple TACACS+ servers, that is, one in each administrative domain with the approprite level of access. As I have many andministrative domains this would, double the TACACS server deployment.



Any suggestions?

0
Comment
Question by:ldel8481
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 168 total points
ID: 11829240
You could do this with a single CiscoSecure ACS server - no reason for multiple ones ?
Give each user higher privilege for certain NASs, and lower ones for the rest ?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 11842721
You could also use VMware... espically if all these servers will do is tacacs auth... it's not very resource intensive. Get 2 seperate servers running 2 or more VMware instances, and you've got 4 or more Virtual Servers, plus the two running the vmware... so 6 total, if each of the two servers ran M$, plus 2 instances of VM. VM does require lot's of ram, but from experence, 1 gig of ram, on a dual piii 733 is more than enough for the OS (M$-2003) and 2 vmware tacacs instances(also 2003). They can all share the same nic, or you can add more nics.
http://www.vmware.com/
I'm not sure about M$ virtual PC... but you could evaluate it
http://www.microsoft.com/windows/virtualpc/default.mspx
The VM software should be much cheaper than server hardware... and they work reliably!
-rich
0
 

Assisted Solution

by:mzgola
mzgola earned 166 total points
ID: 11889223
Just go with tacacs link your tacacs to AD, then setup different permission to access your routers, and firewalls for different administrators. You could only have one tacacs server, but if you gonna keep it on one of your local networks make sure you change your firewall setting to enable TCP port ??? (you have to looke this up)

and you should be good to go.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11892885
It's unfortuneate, but it is correct that for your goals, you need seperate Tacacs instances. I feel that VM is a cost effective, reliable and efficiant solution.
-rich
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11925594
Any feedback from the question author ?
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month4 days, 5 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question