|
Home > Archive > Radius Server > April 2005 > RADIUS _&_ TACAS?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi,
We're looking at implimenting a VPN solution, and I've been discussing
authentication with our security consultant, and he says we MUST have two
factor authentication with RADIUS & TACAS.
I was always under the impression it was an either/or situation. Does anyone
know what the benefits of having both are? Especially if we're going to
impliment a mid-ground screened subnet DMZ.
Surely ISA/RADIUS would be enough?
Cheers
Ben
| |
| Thomas K 2005-04-12, 6:01 pm |
| Hey,
Two factor authentication is not two protocols AFAIK.
Two factor authentication is "something you have" & "something you know"
like a digital certificate with its associated private key protected by a
PIN code on a smartcard.
RADIUS & TACACS server the same purpose; the only two differences I can
think of right now are:
- TACACS+ is cisco proprietary
- TACACS+ encrypts the whole payload (RADIUS only encrypts sensitive user
fields such as RADIUS USER-PASSWORD)
Go with RADIUS !
Cheers,
/T
"Ben" <bjblackmore@xyz.hotmail.com> wrote in message
news:OI1035zPFHA.2972@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> We're looking at implimenting a VPN solution, and I've been discussing
> authentication with our security consultant, and he says we MUST have two
> factor authentication with RADIUS & TACAS.
> I was always under the impression it was an either/or situation. Does
> anyone know what the benefits of having both are? Especially if we're
> going to impliment a mid-ground screened subnet DMZ.
> Surely ISA/RADIUS would be enough?
>
> Cheers
>
> Ben
>
| |
| Manjunath Bharadwaj [MSFT] 2005-04-12, 6:01 pm |
| Ben,
I dont know if this is what your security consultant is refering to, but
here is my 2 cents:
Cisco and Juniper (may be others) boxes define auth methods in a certain
order. If one fails it tries the other and so on. For instance, you can
configure RADIUS, TACACS+ and password auth (in that order) on Juniper
devices. The authentication configuration file (similar to Linux PAM) get
stacked in that order. So if your remote RADIUS server goes down for any
reason, the auth falls back to TACACS+ and if all that fails, then normal
password authentication will be used.
Hope this helps,
Manju
--
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights
"Ben" <bjblackmore@xyz.hotmail.com> wrote in message
news:OI1035zPFHA.2972@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> We're looking at implimenting a VPN solution, and I've been discussing
> authentication with our security consultant, and he says we MUST have two
> factor authentication with RADIUS & TACAS.
> I was always under the impression it was an either/or situation. Does
> anyone know what the benefits of having both are? Especially if we're
> going to impliment a mid-ground screened subnet DMZ.
> Surely ISA/RADIUS would be enough?
>
> Cheers
>
> Ben
>
| |
| owen.nick@gmail.com 2005-04-12, 6:01 pm |
| Ben wrote:
> Hi,
>
> We're looking at implimenting a VPN solution, and I've been
discussing
> authentication with our security consultant, and he says we MUST have
two
> factor authentication with RADIUS & TACAS.
> I was always under the impression it was an either/or situation. Does
anyone
> know what the benefits of having both are? Especially if we're going
to
> impliment a mid-ground screened subnet DMZ.
> Surely ISA/RADIUS would be enough?
>
> Cheers
>
> Ben
TACACS and TACACS+ (which are different!) are cisco protocols for
authentication. Radius is also a protocol for authentication. Radius
is much more broadly supported. However, TACACS+ is encrypted. I
woud hazard to guess that ISA doesn't support TACACS.
What he is probably recommending is that you deploy strong
authenitication in different ways for users and admins. Perhaps he
has added TACACS just for mamanagement of your cisco infrastructure?
e.g: when a user logs in the ISA server routes the credentials to the
authentication server via radius. When an admin logs into manage a
switch, their request is routed via TACACS to the authentication
server. ?? It would make sense to require two-factor authentication
for key assets even if they are accessed on the LAN.
HTH,
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983 (desk)
404.542.9453 (cell)
http://www.wikidsystems.com
At last, two-factor authentication, without the hassle factor
| |
|
| Thomas,
I think you're right. After reading a few different web sites on VPN, a lot
mention two-factor authentication in the same sentence as smart cards or
bio-metrics.
Like you said, I think its something you have, (smart card, thumb print) and
something you know (password/passcode)
And I think you're right about RADIUS as well, I've used it before, and it
intigrates nicely with AD. I don't fancy trying to figure out how
setup/install TACACS then how to configure it with AD.
Cheers
Ben
"Thomas K" <thomas@kuborn.be> wrote in message
news:425bffc8$1$44094$5fc3050@dreader2.news.tiscali.nl...
> Hey,
>
> Two factor authentication is not two protocols AFAIK.
> Two factor authentication is "something you have" & "something you know"
> like a digital certificate with its associated private key protected by a
> PIN code on a smartcard.
>
> RADIUS & TACACS server the same purpose; the only two differences I can
> think of right now are:
> - TACACS+ is cisco proprietary
> - TACACS+ encrypts the whole payload (RADIUS only encrypts sensitive user
> fields such as RADIUS USER-PASSWORD)
>
> Go with RADIUS !
>
> Cheers,
>
> /T
>
> "Ben" <bjblackmore@xyz.hotmail.com> wrote in message
> news:OI1035zPFHA.2972@TK2MSFTNGP14.phx.gbl...
>
>
>
|
|
|
|
|