Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
TACACS+ pros/cons
- Thread starter dvtestguy
- Start date
LOL, great response BuckWeet.
TACACS is really nice to have. I would recommend it if you have a small network. Cost justification is why. If you have 50+ devices, I'd suggest that you really look into it. It's nice to have and if you move forward with Wireless from Cisco then you can incorperate your WiFi security into the ACS server and make it so much more stronger. Just my opinion.
"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
TACACS is really nice to have. I would recommend it if you have a small network. Cost justification is why. If you have 50+ devices, I'd suggest that you really look into it. It's nice to have and if you move forward with Wireless from Cisco then you can incorperate your WiFi security into the ACS server and make it so much more stronger. Just my opinion.
"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
I just wanted to clarify something but you can get free TACACS software for Unix so cost of ACS need not be a con. CCO link about the freeware Unix version below along with some config stuff:
However some cons could include: increased administration, need to possibly acquire/purchase a new server.
On the plus side, it does offer total accountability and a solid audit trail on your network. If you company is into knowing who did what and when, TACACS is for you. Buckwheet mentioned the 3 AAA's. Togive more detail about them:
* Authentication: The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on.
* Authorization: The act of granting access rights to a user, groups of users, system, or a process.
* Accounting: The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users.
The following is a good Cisco link about how to setup TACACS:
However some cons could include: increased administration, need to possibly acquire/purchase a new server.
On the plus side, it does offer total accountability and a solid audit trail on your network. If you company is into knowing who did what and when, TACACS is for you. Buckwheet mentioned the 3 AAA's. Togive more detail about them:
* Authentication: The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on.
* Authorization: The act of granting access rights to a user, groups of users, system, or a process.
* Accounting: The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users.
The following is a good Cisco link about how to setup TACACS:
- Thread starter
- #6
Great info guys...Thanks!
I work in a Test & Measurement environment, so we're looking to add this as a test plan for a customer of ours running it in a large WAN network.
My lab environment here has a 6506, 4948, 7513, 5500 and a few 2621's, using approx. twenty-plus TestProbes accessing the 6506. So they're looking for us to test TACACS in our lab as it's a primary authentication of theres.
I work in a Test & Measurement environment, so we're looking to add this as a test plan for a customer of ours running it in a large WAN network.
My lab environment here has a 6506, 4948, 7513, 5500 and a few 2621's, using approx. twenty-plus TestProbes accessing the 6506. So they're looking for us to test TACACS in our lab as it's a primary authentication of theres.
Since the majority of networks are Windows/Active Directory its a pretty simple task to set up RADIUS (as opposed to TACACS+) for AAA and use MS Internet Authentication Server (IAS) that comes with Windows Server (even a free MS download for NT 4.0).
RADIUS is not as secure as TACACS+ since only passwords are encrypted but it provides similar functionality. It is also attractive to integrate the users into Active Directory and have a single User database. You can do this with ACS/TACACS+ but it requires a bit more setting up.
HTH
Andy
RADIUS is not as secure as TACACS+ since only passwords are encrypted but it provides similar functionality. It is also attractive to integrate the users into Active Directory and have a single User database. You can do this with ACS/TACACS+ but it requires a bit more setting up.
HTH
Andy
voltron1011
MIS
Advantage: One password works for everything!!
Disadvantage: If the server goes belly-up, you better have your LOGON & ENABLE passwords ready.
Disadvantage: If the server goes belly-up, you better have your LOGON & ENABLE passwords ready.
voltron1011 - have you heard of redundant servers? Having a single TACAS/RADIUS server is not a good idea.... You would normally have a minimum of 2 servers available in the event that one goes offline. The fallback userid/password & enable secret are there in the event of a disaster or similar event.
HTH
Andy
HTH
Andy
voltron1011
MIS
ADB100
Of course I've heard of redundant servers... There are still known issues with TACACS/RADIUS server replication that will cause the second server not function properly (it's rare but I've seen it plenty of times) depending on what version you are running. This happened at my current company where everything was hunky-dory until our main site lost power for a couple of hours. Our redundant TACACS server did not function as it was supposed to even though it appeared to be working just prior to the outage.... I was merely giving dvtestguy a possible scenario of what COULD happen.
Of course I've heard of redundant servers... There are still known issues with TACACS/RADIUS server replication that will cause the second server not function properly (it's rare but I've seen it plenty of times) depending on what version you are running. This happened at my current company where everything was hunky-dory until our main site lost power for a couple of hours. Our redundant TACACS server did not function as it was supposed to even though it appeared to be working just prior to the outage.... I was merely giving dvtestguy a possible scenario of what COULD happen.
- Thread starter
- #11
- Status