Main Nav

Hey everyone,

 

We’re opening discussions in our network group on whether we should be using local accounts or AD/LDAP/RADIUS to access the management consoles of our network gear.  I see pros and cons of both.   

 

Opinions?

 

-Brian

 

____________________________________
Brian Helman, M.Ed |  Director, ITS/Networking Services | (: 978.542.7272

Salem State University, 352 Lafayette St., Salem Massachusetts 01970

GPS: 42.502129, -70.894779

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Hi Brian - 

We use central authentication against a radius server, tied to our AD directory.

Pros - 

Group access easily managed.  When a user leaves, we can remove them from a net-admin role, and done.

Cons - 
If Identity Management services are down, you can't access the device.


We resolve the latter issue by having a fallback from radius to local auth on our network devices.  This local auth is a secured password, known by few.

-
Pete Hoffswell - Network Manager
pete.hoffswell@davenport.edu
http://www.davenport.edu
616-732-1101


We also use RADIUS with fallback to local DB on devices. One thing that is worth mentioning is that some devices (for example, HP Procurve Switches) have the ability to provide much more granular control over permissions using parameters given back to them by the RADIUS server. With the HP switches, you can configure it to provide only a limited command set to a given RADIUS user.

 

Dan Scherck

The Evergreen State College

 

We haven’t tried RADIUS with our Juniper switches yet.  I did have an issue with our wireless where, if we switched authentication to RADIUS it would only use RADIUS and ignore the local db.  If RADIUS was unavailable, for whatever reason, we couldn’t log in.  That was several code versions back so it may have been resolved.

 

I’m leaning very much toward going to back to RADIUS for device authentication.  I’m not seeing anything on this thread to tell me otherwise.  If anyone wants to throw out an argument against it, I’d love to see an opposing view (since when do we all agree on anything!?  I guess that Mayan scare brought us all together?).

 

-Brian

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton
Sent: Monday, January 14, 2013 11:00 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] login access to network devices - local or central db?

 

We’re on the same boat – we use ACS (redundant servers in different data centers) with a local as fallback.  We have both Cisco & Juniper in the mix for network devices.  The ACS servers are outside of normal radius/ldap, and ‘managed’ by the network group, rather than another department. 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Alan Nord
Sent: Monday, January 14, 2013 9:46 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] login access to network devices - local or central db?

 

We use RADIUS with fall back to local is something should happen.  I transitioned to RADIUS about 6 months ago and have not had any issues.  This allows us to give other people access if need be without having to change the local account password after every time.  Another problem I was looking to solve was proper audit trail of who was doing what when.  We use a redundant NPS setup for our environment.


Alan Nord, CCNA

Network Administrator 
Information Technology Services
Macalester College
1600 Grand Avenue
St. Paul, MN 55105

 

We use RADIUS for authentication and TACACS for authorization on our Cisco routers/switches; we use TACACS only on our Juniper hardware - not that RADIUS wouldn't work, as I recall, just that it would have taken very cumbersome RADIUS configs rather than fairly simple TACACS configs, given the way our network is built.

It's important to verify the behavior when something goes wrong with the AAA servers; we ran into a situation a while back where TACACS was failing for some devices, and they were interpreting a "no response" as "access is authorized", which would let anyone
with a valid identity - student, faculty, staff, alumni, etc. - log into those devices.  You need to make sure you can get in when the network or the servers misbehave, but you also need to make sure that unauthorized people can't get in when things aren't working right.

I'd suggest doing both. If you do remote auth and all the servers are down or inaccessible by the device you will have to have a local authentication means to access the device. On the other hand, you still have to login to each device and reset the local authentication when someone leaves the University. Depending on your size, it might be worth looking into a configuration tool for to automate that (or a trustworthy intern).

We use TACACS for most of our stuff, but I'm going to be evaluating moving to RADIUS (or at least a different system) due to age of the current system and interoperability between vendors.

Do you have any specific concerns about either method?
Heath Barnhart, CCNA ITS Network Administrator Washburn University Topeka, KS
On 01/14/2013 08:20 AM, Brian Helman wrote:

Hey everyone,

 

We’re opening discussions in our network group on whether we should be using local accounts or AD/LDAP/RADIUS to access the management consoles of our network gear.  I see pros and cons of both.   

 

Opinions?

 

-Brian

 

____________________________________
Brian Helman, M.Ed |  Director, ITS/Networking Services | (: 978.542.7272

Salem State University, 352 Lafayette St., Salem Massachusetts 01970

GPS: 42.502129, -70.894779

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Brian.  I did this about a year ago.  Mainly started with my Cisco switches and routers.  I chose RADIUS because it was mostly supported by vendors and I had a free server available.   I started with IAS (windows 2003 server) and have graduated to NPS (windows 2008 server) as my RADIUS server.  It can be a bit difficult to configure properly, and I’m sure that the simplicity of my configuration has also helped. 

 

In our shop, it’s usually an all or nothing(or minimal) thing.  So most of our techs have privileged level access or minimal access to our network infrastructure.  (We are small so everyone does just about everything.) 

 

All that said, I created 2 groups in AD for each type of device.  CiscoEdgeAdmins, CiscoEdgeViewers, CiscoRouterAdmins, etc.  We keep a separate login for privileged use.  Whenever I want to give someone access to a class of infrastructure device, I pop that user login into the group.  To remove, I just take them out.  They automatically lose access if the username is deleted.  And those account creations and deletions are meticulously maintained. 

 

On the switch, we did a lot of testing with RADIUS and fallback to local users.  I had to set up RADIUS access on 3 levels.  The first was Console, the second was HTTPS and the third was SSH.   (We don’t support http or telnet access.)  Once I found the mystical incantations that made all this work, I used RANCID to spread it around to all the devices.  It all works.  At that point I removed all the local users from my switches, except for one.  This is one that can be used if the RADIUS server is down or not available via some kind of failure or there has been some kind of catastrophic configuration/ACL problem. 

 

At first there was some concern, but now everyone loves the system.  Except when we have to go looking for the local userid’s password as it’s very long (to be used only in an emergency).  J 

 

And of course, it isn’t perfect.  We upgraded some of our devices to a new switch code, and the first thing we noticed was that RADIUS support for the HTTPS interface got hosed.  So on those devices we added a local user back in with the hope one day that we can get firmware that fixes this issue. 

 

All in all, I think the solution has both negatives and positives, but the overall solution was a positive for us. 

 

Chris

CIS Security Director

The Principia

 

From: Brian Helman [mailto:bhelman@SALEMSTATE.EDU]
Sent: Monday, January 14, 2013 8:21 AM
Subject: login access to network devices - local or central db?

 

Hey everyone,

 

We’re opening discussions in our network group on whether we should be using local accounts or AD/LDAP/RADIUS to access the management consoles of our network gear.  I see pros and cons of both.   

 

Opinions?

 

-Brian

 

____________________________________
Brian Helman, M.Ed |  Director, ITS/Networking Services | (: 978.542.7272

Salem State University, 352 Lafayette St., Salem Massachusetts 01970

GPS: 42.502129, -70.894779

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Message from iam@st-andrews.ac.uk

We use RADIUS day to day, and have a local “emergency override” account for cases where authentication’s no longer possible (and we don’t want to do a reset on the switch).

You could of course replace RADIUS above with some other account mechanism your switch supports.

 

--

ian

 

We use RADIUS with fall back to local is something should happen.  I transitioned to RADIUS about 6 months ago and have not had any issues.  This allows us to give other people access if need be without having to change the local account password after every time.  Another problem I was looking to solve was proper audit trail of who was doing what when.  We use a redundant NPS setup for our environment.

Alan Nord, CCNA
Network Administrator 
Information Technology Services
Macalester College
1600 Grand Avenue
St. Paul, MN 55105


Message from dannyeaton@rice.edu

We’re on the same boat – we use ACS (redundant servers in different data centers) with a local as fallback.  We have both Cisco & Juniper in the mix for network devices.  The ACS servers are outside of normal radius/ldap, and ‘managed’ by the network group, rather than another department. 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Alan Nord
Sent: Monday, January 14, 2013 9:46 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] login access to network devices - local or central db?

 

We use RADIUS with fall back to local is something should happen.  I transitioned to RADIUS about 6 months ago and have not had any issues.  This allows us to give other people access if need be without having to change the local account password after every time.  Another problem I was looking to solve was proper audit trail of who was doing what when.  We use a redundant NPS setup for our environment.


Alan Nord, CCNA

Network Administrator 
Information Technology Services
Macalester College
1600 Grand Avenue
St. Paul, MN 55105

 

We also use RADIUS with fallback to local DB on devices. One thing that is worth mentioning is that some devices (for example, HP Procurve Switches) have the ability to provide much more granular control over permissions using parameters given back to them by the RADIUS server. With the HP switches, you can configure it to provide only a limited command set to a given RADIUS user.

 

Dan Scherck

The Evergreen State College

 

We haven’t tried RADIUS with our Juniper switches yet.  I did have an issue with our wireless where, if we switched authentication to RADIUS it would only use RADIUS and ignore the local db.  If RADIUS was unavailable, for whatever reason, we couldn’t log in.  That was several code versions back so it may have been resolved.

 

I’m leaning very much toward going to back to RADIUS for device authentication.  I’m not seeing anything on this thread to tell me otherwise.  If anyone wants to throw out an argument against it, I’d love to see an opposing view (since when do we all agree on anything!?  I guess that Mayan scare brought us all together?).

 

-Brian

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton
Sent: Monday, January 14, 2013 11:00 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] login access to network devices - local or central db?

 

We’re on the same boat – we use ACS (redundant servers in different data centers) with a local as fallback.  We have both Cisco & Juniper in the mix for network devices.  The ACS servers are outside of normal radius/ldap, and ‘managed’ by the network group, rather than another department. 

 

From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Alan Nord
Sent: Monday, January 14, 2013 9:46 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] login access to network devices - local or central db?

 

We use RADIUS with fall back to local is something should happen.  I transitioned to RADIUS about 6 months ago and have not had any issues.  This allows us to give other people access if need be without having to change the local account password after every time.  Another problem I was looking to solve was proper audit trail of who was doing what when.  We use a redundant NPS setup for our environment.


Alan Nord, CCNA

Network Administrator 
Information Technology Services
Macalester College
1600 Grand Avenue
St. Paul, MN 55105

 

We use RADIUS for authentication and TACACS for authorization on our Cisco routers/switches; we use TACACS only on our Juniper hardware - not that RADIUS wouldn't work, as I recall, just that it would have taken very cumbersome RADIUS configs rather than fairly simple TACACS configs, given the way our network is built.

It's important to verify the behavior when something goes wrong with the AAA servers; we ran into a situation a while back where TACACS was failing for some devices, and they were interpreting a "no response" as "access is authorized", which would let anyone
with a valid identity - student, faculty, staff, alumni, etc. - log into those devices.  You need to make sure you can get in when the network or the servers misbehave, but you also need to make sure that unauthorized people can't get in when things aren't working right.

I'd suggest doing both. If you do remote auth and all the servers are down or inaccessible by the device you will have to have a local authentication means to access the device. On the other hand, you still have to login to each device and reset the local authentication when someone leaves the University. Depending on your size, it might be worth looking into a configuration tool for to automate that (or a trustworthy intern).

We use TACACS for most of our stuff, but I'm going to be evaluating moving to RADIUS (or at least a different system) due to age of the current system and interoperability between vendors.

Do you have any specific concerns about either method?
Heath Barnhart, CCNA ITS Network Administrator Washburn University Topeka, KS
On 01/14/2013 08:20 AM, Brian Helman wrote:

Hey everyone,

 

We’re opening discussions in our network group on whether we should be using local accounts or AD/LDAP/RADIUS to access the management consoles of our network gear.  I see pros and cons of both.   

 

Opinions?

 

-Brian

 

____________________________________
Brian Helman, M.Ed |  Director, ITS/Networking Services | (: 978.542.7272

Salem State University, 352 Lafayette St., Salem Massachusetts 01970

GPS: 42.502129, -70.894779

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Heath Barnhart wrote on 14.1.2013: > We use TACACS for most of our stuff, but I'm going to be evaluating moving to RADIUS (or at least a different system) due to age of the current system and interoperability between vendors. > > Do you have any specific concerns about either method? Hi, I've found that the main differentiators between RADIUS and TACACS are command authorization and command logging. You need to consider whether you want to have them, and check how your network equipment handles them. I haven't used TACACS personally, but AFAIK you can do server-side policies (i.e., the device checks every command the user enters from the TACACS server) and as a side benefit you also get per user command logging. Standard RADIUS does not support that kind of stuff, so vendors have come up with different kinds of solutions. Usually you can configure privilege levels with certain commands on the devices and refer to those levels in a vendor-specific RADIUS reply attribute (e.g., Cisco, Juniper). Some devices allow a list of allowed or denied commands to be returned in the RADIUS reply (HP ProCurve). And some devices allow TACACS-style command verification that requires some tweaking on the RADIUS server (Extreme). Some devices log all entered commands to the system log and those can be logged centrally with syslog, some don't. Some devices log the commands, but not the user that entered them. TACACS' server-side policies mean that you only need to make changes on the server, which is a lot easier than updating the policies on hundreds or thousands of network devices. It becomes a lot easier if you have some system to handle configuration changes en masse (e.g., vendor software or RANCID scripts). And then you might consider what software you want to run. We already had FreeRADIUS for wireless auth so I chose to use that for network management too instead of setting up TACACS (Cisco or free software). -- Mr Tuukka Vainio Systems Architect, infrastructure and information security University of Turku, IT Services ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.