|
Home > Archive > CCIE > December 2001 > Tacacs+ server help
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Tacacs+ server help
|
|
|
| Does anyone know how to setup a tacacs+ server into a NT workstation?
I downloaded the latest software from cisco website, but no clue how to set it up.
cheers | |
| MadChef 2001-12-01, 6:36 am |
| I assume you downloaded the eval copy of ACS. I don't believe it will run on workstation software. Try putting it on NT Server or 2000 Server instead.
MadChef | |
| strikeattack 2001-12-03, 11:09 am |
| I would be curious to know if anyone has ever set it up. I have not, but I would like to give it a shot. Does anyone have any experience with it? | |
| MadChef 2001-12-04, 6:49 am |
| quote:
Originally posted by strikeattack
Does anyone have any experience with it?
Yes, lots. What are you curious about?
MC | |
| strikeattack 2001-12-04, 12:33 pm |
| Is the security centralization as useful and easy as it as made out to be? Do you run the software on an NT machine?
Give us a run-down Madchef! | |
| MadChef 2001-12-04, 2:56 pm |
| I love ACS. It runs on NT/2000 Server or Solaris and is painless to install. Administration is done via http either locally or remotely. Do you need it for two dozen networking devices? No, not unless you want to do some hardcore accounting and authorization. But when you have either a remote access platform (dial-in, vpn, etc) or a large number of managed devices touched by many people, ACS is indespensible. You get significantly more flexibility by authenticating remote access users against ACS than you would from just the normal NT database. Take a VPN 3000 concentrator for example. Yes, you can make it authenticate against internal users or an NT domain. But if you use radius (tacacs+ isn't supported on the concentrator) you can take advantage of the various RADIUS attributes to pass along VPN group memberships, set allowed times to connect, etc. Mapping of NT/AD groups to groups on the ACS server (and I would expect you can do this for NDS as well, though I've never done it) allows you to manage all your users hitting the ACS server in a single place. Once it's up, you can pretty much leave it alone. AAA is something I don't think enough organizations take advantage of.
So yes, it is as easy and as useful as it's made out to be. At least I think so. That's my 2 minute impression.
MadChef |
|
|
|
|