Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AAA setup 1

Status
Not open for further replies.
SIMONI

SIMONI

IS-IT--Management
Aug 31, 2004
47
0
0
AU
Hi All,

I have 15 routers and switches and one ASA in my network.
Managing users and passwords starting to become to hard.

Someone told me that I can set up an AAA server on one of the routers and join all the other routers to it so all users management will be easy.

After doing some research I saw how to set up the AAA server and I did set it up on one router it our test network.

What I can't figure out is how to make the other routers to point to the AAA server.

Can someone maybe give me some more info about the process of creating the AAA server and get the other devices pointing to it for authentication ?

This what I found so far:



Thanks
simon
 
Sort by date Sort by votes
Hi Simon, I think you would be best setting up a Radius or TACACS server on a PC then pointing all the routers to it.
 
Upvote 0 Downvote
Hello
Routers can only handle their own local database.No chance of directing another router to use another router database.The cheapest solution would be to get an open source/freeware RADIUS server or if you are running Windows 2000/2003 server ,use it's builtin RADIUS server.
Regards
 
Upvote 0 Downvote
If you plan on having less than 50 devices on Radius, you can use Windows 2003 Server Standard.... if you plan on having more than that, I would recommend Enterprise...

I will look for my links on how to set up the windows and cisco side

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works
 
Upvote 0 Downvote
Oh... if you already have a server set up that is not really being utilized you can use it by just setting up IAS.

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works
 
Upvote 0 Downvote
Hi All,

Thanks for making this clear.
I have an IAS server an a few windows server that I can use.

Does any one knows how to configure it ?

Cheers,
Simon
 
Upvote 0 Downvote
Just so ya know... I used the above links to set up Radius on our complete network and haven't had any issues... and following that made it VERY easy to set up...

------------------------------------
Dallas, Texas
Telecommunications Tech
CCVP, CCNA, Net+

CCNP in the works
 
Upvote 0 Downvote
I actually have an upcoming project where the customer does not want to pay for a TACASC+/ACS server, so RADIUS on their Windows boxes would be perfect! They want me to set up AAA, as they have only enable passwords (same on ALL boxes!). Thanks for the links!

Burt
 
Upvote 0 Downvote
Burt, it isn't limited to telnet/console access to IOS. I use it to authenticate VPN users, 802.1x machines/users, CiscoWorks LMS, basically anything that requires a user authentication can be backed off to Radius.
I have 6 different policies on a pair of IAS servers for various authentications. I also wrote a script to export the config from the 'Master' IAS server every day at 3.00pm and then make a copy of this with the time & date appended to the filename. At 3.02pm the 'Slave' IAS server imports the configuration from a network UNC.

The one thing Cisco bleat on about is the fact that all Radius messages except passwords are sent in clear text; passwords are encrypted using the MD5 hashing algorithm. With TACACS+ the whole of the payload is encrypted.

Personally I don't see this as a big security concern since the Radius packets are usually only present on your internal network so 'sniffing' them is not that easy.

Andy
 
Upvote 0 Downvote
Right. This customer uses an SSL VPN on an ASA5520, but I guess could use AAA pointing to a RADIUS. My main concern is that they used "enable password", with the same password, on EVERYTHING! No username pass combos, and no secret. Baby steps...
If they ever learned how to mess with Red Hat or Solaris, I think there may be TACACS+/ACS available for free, or at least ACS.

Burt
 
Upvote 0 Downvote
Hi ADB100
Cisco wins the AAA battle with its'control of the authorization level of users.This feature is really needed in some networks.I was working as a Contractor for a big ISP.With what I was doing I had to had full privilege to the access layer devices.But being that they were using RADIUS,with my credentials I even had access to the Core layer and all the Internet peering routers as well.So sometimes Cisco isn't all about marketing.
Regards
 
Upvote 0 Downvote
Hi ADB100
Cisco wins the AAA battle with its'control of the authorization level of users.This feature is really needed in some networks.I was working as a Contractor for a big ISP.With what I was doing I had to had full privilege to the access layer devices.But being that they were using RADIUS,with my credentials I even had access to the Core layer and all the Internet peering routers as well.So sometimes Cisco isn't all about marketing.
Regards
Click to expand...

Yes, there are other features of ACS/TACACS+ that Radius doesn't have and I agree command authorization is a very neat feature - if you are actually using it.
I have achieved something similar (although not individual command authorisation) with privilege levels. In AD I have several Security Groups - Cisco Level-15, Cisco Level-10 etc. I then make users members of the appropriate level. In IAS I then have policies for each privilege level that allows admission to the policy based on Windows-Group, NAS-Port-Type and Authentication-Type. I push a Cisco AV-pair to the IOS device automatically granting the relevant privilege level (shell:priv-lvl=15). On each IOS device certain commands have their privilege level changed to fit in with this. This obviously took time to perfect and create a template, it also requires updating as there are different IOS commands on different devices and things change through software releases. However it works very well.

Andy
 
Upvote 0 Downvote
Hello
That's really a hot work around.Just don't let Cisco know of that because they won't be very happy ;-)

Regards
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
90
DigiByte34
DigiByte34
Airis47
  • Locked
  • Question
HSRP setup for Two routers one Stack 1
Replies
3
Views
53
wybnormal
wybnormal
greenemk
  • Locked
  • Question
Cisco Router to VyperVPN Remote Access Setup
Replies
2
Views
46
greenemk
greenemk
thec0dy
  • Locked
  • Question
VLAN Setup Help
Replies
3
Views
45
burtsbees
burtsbees
hall5942
  • Locked
  • Question
Cisco 881 router basic setup 1
Replies
7
Views
45
tphethai
tphethai

Part and Inventory Search

Sponsor

Back
Top