Authentication to 100+ Cisco routers with changing passwords etc.

Hi there

We have around 100 Cisco routers in our organisation. All of them use IOS 12.2 or higher.
We also have around 20 users in total that have various duties and responsibilities
- I wish to set up a solution where all routers will authenticate a login request (over telnet or dialup) to a central server and grant or deny the request according to the server's database.
- I wish to make sure that each user's password expires after a while and it is a complex password.
- I would also prefer a 2 factor authentication method WITHOUT a hardware token.
- I would also prefer not to use Cisco ACS server since it's too expensive.

I will be waiting for your suggestions.


LVL 1
egeiyiogluAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
How about Windows RADIUS. Free with every Win2000/3 server. Integrated into Active Directory.
Same concept. Enable AAA on all routers and point to the radius server.
http://www.windowsitpro.com/Article/ArticleID/38946/38946.html?Ad=1
TAMSCODANCommented:
I would Recommend TACACS+ Here are the details on this solution:

http://www.cisco.com/warp/public/614/7.html

lrmooreCommented:
TOMSCODAN,
Part of the question:
> I would also prefer not to use Cisco ACS server since it's too expensive.

The article you linked to is specific to Cisco ACS:
"Following are the general network access security features that are currently available on Cisco Access Servers. These features can be internally stored on an access server or centralized database using TACACS."

Do you know of a less-expensive TACACS+ server on the market? One that is easier to use than the built-in Microsoft Radius?

Can you expand on your preference for TACACS+ vs RADIUS?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

TAMSCODANCommented:
Here is the comparison in both:
  http://www.cisco.com/warp/public/480/10.html

and here is one of the least expensive ones that I found:

http://www.xperiencetech.com/

We have several different devices that Authenticate using this TACACS+ from Foundry Switches, CISCO Routers and FIREWALLS, our NetScreens and it is so easy to setup the user accounts and manage the devices. Look at the links up top and they will give you a more detailed explanation. Good Luck :-)
TAMSCODANCommented:
I noticed that you even have a free trial. Try it out :-)
egeiyiogluAuthor Commented:
Thank you all, but how about these parts of my question:

>> - I wish to make sure that each user's password expires after a while and it is a complex password.
>> - I would also prefer a 2 factor authentication method WITHOUT a hardware token.
lrmooreCommented:
>> - I wish to make sure that each user's password expires after a while and it is a complex password.
Since Windows Radius (IAS) Uses the NT SAM authentication, then whatever rules you setup in the AD or domain will enforce password expiry and complexity.

>> - I would also prefer a 2 factor authentication method WITHOUT a hardware token.
Not sure then what you would consider 2 factor. The router must authenticate with Radius server (secret key), then the user must authenticate with the Radius server user rules. If you want to use a 3rd party device like a thumbprint reader, smart card or other device, then attach it to the workstation the user will be using while accessing the devices..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
egeiyiogluAuthor Commented:
Irmoore, if I understand correctly,you base your solution on Active Directory.
I don't have Active Directory in my setup and I don't want to set one up and then rely on it.
I want this to be a standalone solution.
TAMSCODANCommented:
With TACAS + new features you can do all the things that you are asking. That is the solution that we are using here at my location.  ClearBox TACACS+ RADIUS Server is an inexspensive product that you can use for your solution including PW authentication with expiration dates for the users. Here are the specs for ths solution,  http://www.xperiencetech.com/ and as i said before it even has a free trial :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.