(RADIATOR) Mixed Auth Methods & TACACS

Patrick, Robert Robert.Patrick at hq.doe.gov
Thu Jan 19 22:27:12 CST 2006 

Hello!  I have two immediate problems I'm trying to solve.  I'm hoping
some others on this list have already invented the wheel and are willing
to share.  :)

Background:  I have many Cisco network devices that send TACACS AAA to a
Linux server where I have installed Radiator setup with ServerTACACSPLUS
and the DEFAULT Realm set for AuthBy RADIUS so that I can proxy user
authentication using RSA 2-factor tokens to an RSA server running
RADIUS.  This was a very quick and easy setup, works great.


(1)  My first problem is that I have hundreds of users with RSA tokens,
but I only want my network admins to have access to the Cisco devices.
Right now any of my users with an RSA token can login to all the Cisco
devices...not good.

I don't directly manage the RSA server, so I don't want to setup groups
on that platform.

I want to solve my problem using Radiator so that only the network staff
can successfully authenticate to the Cisco devices.  What steps are
needed so I can have a list of users defined on the Radiator server
which will be allowed to authenticate via the TACACS-to-RADIUS proxy
using 2-factor tokens, while denying access to all other token users?


(2)  My second problem is that I have automated systems (management
applications, scripts, etc.) that login to the Cisco devices using
regular passwords, not 2-factor tokens.  So in addition to supporting
the 2-factor AuthBy RADIUS, I'd like to add an AuthBy FILE or other
setup.

I believe I can change all my automated systems to use the "user at realm"
format so that I can create a Realm with AuthBy FILE, but I haven't
tested TACACS logins using the @realm suffix, has anybody else done this
and found it works?

Are there other options I can pursue to mix-and-match auth types?


Summary:  Login requests to Radiator will come in via TACACS from any of
the hundreds of Cisco devices in my network.  I want to allow scripts
using regular passwords to login in to these Cisco devices.  I want to
allow my network admins to login using 2-factor (for Radiator that means
proxy the auth request to another RADIUS server) to the Cisco devices.
I want to prohibit other users using 2-factor (which would normally be
acceptable logins if sent to the proxied RADIUS server) from login
access to the Cisco devices.


Any help you can provide would be much appreciated!


Thank you,

-Rob Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060119/962b27c1/attachment.html>

More information about the radiator mailing list