Skip to main content

Radius and Tacacs server for Authentication

Radius and Tacacs server for Authentication


When we study for certification regarding Cisco, we encounter topic like Radius or Tacacs Server many times. You all know what are these and when to use them. But will it be beneficial to setup Radius or Tacacs authentication in real production network ?

Suppose you have 20 - 30 devices and there are three network administrator handling those devices in your company. One day you get a news that one of the network engineer is leaving an organization. To comply with company's security policy, you need to delete his/her Login credentials from all 20 - 30 devices. It hardly takes 20 - 30 Min to do that. No problem ! All is well till now.

Now imagine a different scenario in which you are working in even bigger organization which has around 2000 devices and has large network team around 15 - 20 Network admins. Each one of them has different access permissions on the network devices and some of them only have access permissions to limited number of network  devices. Meanwhile some network admins are leaving your organization and some are joining. Hey friends you all know how attrition works in today's corporate world !! Now how you will going to manage these users credentials in all 2000 Devices. I am pretty sure you will not going to sit and configure login access credentials for all different users with different access level on all the devices. It such a mammoth task to manually manage(that includes creation/deletion/modification) these login credentials information in this manner for each user on each individual device for such a large network base. Isn't it!!

Here Authentication server like Radius or Tacacs comes to our rescue. So now I will explain how it works. Broadly speaking, each network device will go to your Authentication server to find whether the user have rights to login in device or not. There are many other task which Radius or Tacacs server do. Like AAA :

A - Authentication

A- Authorization

A - Accounting

A - Authentication :


Checks the user and password to login in the network devices. Basically verifies the authenticity of the user trying to access the device by checking the login credentials.

A - Authorization:

Checks that user regarding the rights he/she has. Like Privilege level 0 - 15 in Cisco world. This feature ensures only the users who are authorized to access the specific content can access it on the given device.

A- Accounting :

It keeps track of what  type the command user is executing on network devices when they are successfully login into the device. So it will make user accountable for the way he/she is using network devices by keeping the record of the activities user is performing over the network device.

This Authentication server is same like AD(Active Directory Server) in windows world where user are authenticated via AD to login into the windows machine.

Basically there are two types of Authentication server which are available:

Radius : It is open source and can be implemented for free.


Tacacs : It is Cisco proprietary. Have to purchase it from Cisco. It is very costly solution.


Some of the free Open source Radius server are :

  1. FreeRadius

  2. FreeRADIUS.net

And many More. Such is the benefit of having open source softwares.... You can easily google it.

For Tacacs server , you need to purchase ACS(Access Control Server) server from Cisco. This comes as a hardware appliance or ISO file which can be installed in any Virtual environment. You can download 60-days Evaluation version for practice, demo or Lab.

Closing Note : If you have small Network then there is no need of Authentication server as such. But if you have very large network with big team of engineers to manage it than it is advisable to have Authentication server Like Radius or Tacacs. It is easy to manage and more secure  solution to implement.



For any queries related to this topic, you can leave your comments below in the section provided.  For further blogs related to Networking please subscribe the blog.

Keep networking till we meet next!!!! :)

Comments

  1. Thanks for your post.Please can ACS be use to authenticate wireless user on a network.
    Also, I will like to know if ACS can be use with user registered on AD for authentication

    ReplyDelete
  2. Thanks for your Post. I never configured ACS integration with AD. But you can check this Cisco Doc :

    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113571-acs5-ad-int-config-00.html

    ReplyDelete

Post a Comment

Popular posts from this blog

SuperPuTTY for EVE-NG

To use SuperPuTTY as default client for telnet in Eve-NG for multi tab console

When we click on Router or Switch in EVE-NG by default console open in CMD. Here I posting a method to use SuperPutty with EVE-NG so that you can use TAB function of SuperPutty.
You need to edit registry 
Enable handling of telnet://hostname:port/ URLs on the command line. With this feature, you can now set SuperPuTTY as the default handler for Telnet URLs 
If you run the Registry Editor (Start->Run->regedit.exe) and set the value in:
HKEY_CLASSES_ROOT\telnet\shell\open\command to be: "\path\to\SuperPutty.exe"
(with the full pathname of your SuperPuTTY executable)

In my case it like this :

C:\Program Files (x86)\SuperPuTTY\SuperPutty.exe %1




Second most important thing :

Select "Only allow single instance of SuperPutty to run" in SuperPutty options (Tools > Options)




And in GUI options , select Tab Text : "Dynamic"




And Finally you will get the multi tab console in Superp…

Install Linux in Eve-NG

Install Linux in Eve-NG :
You can choose any of Linux image from the pack below and simply upload into EVE. Download your preferred image from this link:Download Linux Images Here  (This Link is Provided by EVE - NG)     2. Download your desirable image     3. Using WinSCP or FileZilla SSH (TCP 22) to your EVE and upload downloaded image to the location: /opt/unetlab/addons/qemu/     4. Using Putty or other telnet client, CLI SSH (TCP 22) to your EVE and go to location: cd /opt/unetlab/addons/qemu/    5. Unzip your uploaded image file, make sure you are using right name of uploaded image. Example for ubuntu desktop image below. tar xzvf linux-ubuntu-desktop-16.04.4.tar.gz    6. Remove raw zipped image file from EVE rm -f linux-ubuntu-desktop-16.04.4.tar.gz   7. Fix permissions /opt/unetlab/wrappers/unl_wrapper -a fixpermissions   6. Repeat this procedure for each downloaded image, expecting right image name in commands
Ready to go images recommeneded settings: IMPORTANT NOTE: Before you start Li…

NAT Cloud in EVE-NG

NAT Cloud in EVE-NG


I want to share with you how to create a NAT cloud in the EVE-NG community edition. Essentially, this is a virtual network with a DHCP server, which will allow NAT connections over the management interface of the EVE-NG VM for Internet access.


Interface, DHCP Server and NAT First of all, we need to create a network which can be used in the topology. I’ll be using the predefined pnet9 interface (Cloud 9 network) for this, but any other interface will do. 1 2 3 ip address add192.168.255.1/24dev pnet9 echo1

copy IOS from FTP server for cisco switch upgrade

These are the commands to copy IOS from FTP to Flash:
Filezilla SERVER :

copy ftp://username:password@ftp-server-ip/IOS-name.bin flash:

Example :

copy ftp://cisco:cisco@192.168.1.1/c2960x-universalk9-mz.152-4.E6.bin flash:



SolarWinds SFTP & SCP Server (When we need to copy IOS to Flash using Secured channel like SCP or SFTP:

copy scp://<User>:<Password>@<Server-IP>/<File-name> flash0://<File-Name>

What is Ansible?

Ansible is a simple automation language or you can say application that can perfectly automate IT infrastructure or network infrastructure.

Ansible is a free-software platform for configuring and managing computers or network devices which combines multi-node software deployment, ad hoc task execution, and configuration management. (description taken from wikipedia)

It can also be used for network management. Like Puppet or Chef which requires agent to be installed on host system but Ansible does not require an agent on the host system. It uses SSH for transport to communicate with the host. When Ansible was first developed it was used primarily for server administration but in the last few years of development more and more network modules have been added to the software. Currently these Network vendor devices can be manage by Ansible. Current version is Ansible Ver 2.4 :

A10 Networks

Cisco ACI

Aireos

AOS

Aruba Networks

Cisco ASA

AVI

Bigswitch

Bigswitch

Citrix

Cloudengine

Cloudvision

Cumulus

Dell OS

First look of Open NX-OS

Cisco NX-OS is the network operating system that is used in Cisco Nexus switches. These Nexus switches from Cisco are built for DATA-CENTERS. In this post I will give you a brief idea regarding the NX-OS operating system.  NX-OS has been evolved from SAN-OS which was originally developed for MDS switches by Cisco only. These MDS switches are used for storage network.

Cisco NX-OS is purely based on Micro-kernel Linux where as traditional Cisco IOS is also based on Linux but with Monolithic kernel. I will tell you the difference between these two types of kernel below in this post because it is the key difference between NX-OS and IOS.
 Monolithic Kernel :
Monolithic kernel is a single large process running entirely in a single address space or memory space. It is a single static binary file. All kernel services exists and executes in the kernel address space. If one process having some problem then it will effect all other processes and may interrupt the complete kernel flow. As an ex…