egeiyioglu
asked on
Authentication to 100+ Cisco routers with changing passwords etc.
Hi there
We have around 100 Cisco routers in our organisation. All of them use IOS 12.2 or higher.
We also have around 20 users in total that have various duties and responsibilities
- I wish to set up a solution where all routers will authenticate a login request (over telnet or dialup) to a central server and grant or deny the request according to the server's database.
- I wish to make sure that each user's password expires after a while and it is a complex password.
- I would also prefer a 2 factor authentication method WITHOUT a hardware token.
- I would also prefer not to use Cisco ACS server since it's too expensive.
I will be waiting for your suggestions.
We have around 100 Cisco routers in our organisation. All of them use IOS 12.2 or higher.
We also have around 20 users in total that have various duties and responsibilities
- I wish to set up a solution where all routers will authenticate a login request (over telnet or dialup) to a central server and grant or deny the request according to the server's database.
- I wish to make sure that each user's password expires after a while and it is a complex password.
- I would also prefer a 2 factor authentication method WITHOUT a hardware token.
- I would also prefer not to use Cisco ACS server since it's too expensive.
I will be waiting for your suggestions.
I would Recommend TACACS+ Here are the details on this solution:
http://www.cisco.com/warp/public/614/7.html
http://www.cisco.com/warp/public/614/7.html
TOMSCODAN,
Part of the question:
> I would also prefer not to use Cisco ACS server since it's too expensive.
The article you linked to is specific to Cisco ACS:
"Following are the general network access security features that are currently available on Cisco Access Servers. These features can be internally stored on an access server or centralized database using TACACS."
Do you know of a less-expensive TACACS+ server on the market? One that is easier to use than the built-in Microsoft Radius?
Can you expand on your preference for TACACS+ vs RADIUS?
Part of the question:
> I would also prefer not to use Cisco ACS server since it's too expensive.
The article you linked to is specific to Cisco ACS:
"Following are the general network access security features that are currently available on Cisco Access Servers. These features can be internally stored on an access server or centralized database using TACACS."
Do you know of a less-expensive TACACS+ server on the market? One that is easier to use than the built-in Microsoft Radius?
Can you expand on your preference for TACACS+ vs RADIUS?
Here is the comparison in both:
http://www.cisco.com/warp/public/480/10.html
and here is one of the least expensive ones that I found:
http://www.xperiencetech.com/
We have several different devices that Authenticate using this TACACS+ from Foundry Switches, CISCO Routers and FIREWALLS, our NetScreens and it is so easy to setup the user accounts and manage the devices. Look at the links up top and they will give you a more detailed explanation. Good Luck :-)
http://www.cisco.com/warp/public/480/10.html
and here is one of the least expensive ones that I found:
http://www.xperiencetech.com/
We have several different devices that Authenticate using this TACACS+ from Foundry Switches, CISCO Routers and FIREWALLS, our NetScreens and it is so easy to setup the user accounts and manage the devices. Look at the links up top and they will give you a more detailed explanation. Good Luck :-)
I noticed that you even have a free trial. Try it out :-)
ASKER
Thank you all, but how about these parts of my question:
>> - I wish to make sure that each user's password expires after a while and it is a complex password.
>> - I would also prefer a 2 factor authentication method WITHOUT a hardware token.
>> - I wish to make sure that each user's password expires after a while and it is a complex password.
>> - I would also prefer a 2 factor authentication method WITHOUT a hardware token.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Irmoore, if I understand correctly,you base your solution on Active Directory.
I don't have Active Directory in my setup and I don't want to set one up and then rely on it.
I want this to be a standalone solution.
I don't have Active Directory in my setup and I don't want to set one up and then rely on it.
I want this to be a standalone solution.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Same concept. Enable AAA on all routers and point to the radius server.
http://www.windowsitpro.com/Article/ArticleID/38946/38946.html?Ad=1