-
Research
and Publications
Current Issue
March/April 2013
EDUCAUSE ReviewPublications
-
Conferences
and Events
Annual Conference
October 15–18, 2013
Save the date!Events for all Levels and Interests
Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.
-
Career
Development
EDUCAUSE Institute
Leadership/Management Programs
Explore MoreCareer Center
Leadership and Management Programs
EDUCAUSE Institute
Advanced Programs
Project Management
Jump Start Your Career Growth
Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.
-
Focus Areas
and InitiativesLatest Topics
EDUCAUSE organizes its efforts around three IT Focus Areas
Join These Programs If Your Focus Is
-
Connect
and ContributeFind Others
Get on the Higher Ed IT Map
Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
-
About
EDUCAUSE
login access to network devices - local or central db?
Hey everyone,
We’re opening discussions in our network group on whether we should be using local accounts or AD/LDAP/RADIUS to access the management consoles of our network gear. I see pros and cons of both.
Opinions?
-Brian
____________________________________
Brian Helman, M.Ed
| Director, ITS/Networking Services |
(:
978.542.7272
Salem State University, 352 Lafayette St., Salem Massachusetts 01970
GPS: 42.502129, -70.894779
Recommend
Comments
Pete Hoffswell - Network Manager
pete.hoffswell@davenport.edu
http://www.davenport.edu
616-732-1101
We also use RADIUS with fallback to local DB on devices. One thing that is worth mentioning is that some devices (for example, HP Procurve Switches) have the ability to provide much more granular control over permissions using parameters given back to them by the RADIUS server. With the HP switches, you can configure it to provide only a limited command set to a given RADIUS user.
Dan Scherck
The Evergreen State College
We haven’t tried RADIUS with our Juniper switches yet. I did have an issue with our wireless where, if we switched authentication to RADIUS it would only use RADIUS and ignore the local db. If RADIUS was unavailable, for whatever reason, we couldn’t log in. That was several code versions back so it may have been resolved.
I’m leaning very much toward going to back to RADIUS for device authentication. I’m not seeing anything on this thread to tell me otherwise. If anyone wants to throw out an argument against it, I’d love to see an opposing view (since when do we all agree on anything!? I guess that Mayan scare brought us all together?).
-Brian
From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danny Eaton
Sent: Monday, January 14, 2013 11:00 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] login access to network devices - local or central db?
We’re on the same boat – we use ACS (redundant servers in different data centers) with a local as fallback. We have both Cisco & Juniper in the mix for network devices. The ACS servers are outside of normal radius/ldap, and ‘managed’ by the network group, rather than another department.
From: The EDUCAUSE Network Management Constituent Group Listserv [mailto:NETMAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Alan Nord
Sent: Monday, January 14, 2013 9:46 AM
To: NETMAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [NETMAN] login access to network devices - local or central db?
We use RADIUS with fall back to local is something should happen. I transitioned to RADIUS about 6 months ago and have not had any issues. This allows us to give other people access if need be without having to change the local account password after every time. Another problem I was looking to solve was proper audit trail of who was doing what when. We use a redundant NPS setup for our environment.
Alan Nord, CCNA
Network Administrator
Information Technology Services
Macalester College
1600 Grand Avenue
St. Paul, MN 55105
We use TACACS for most of our stuff, but I'm going to be evaluating moving to RADIUS (or at least a different system) due to age of the current system and interoperability between vendors.
Do you have any specific concerns about either method?
Heath Barnhart, CCNA ITS Network Administrator Washburn University Topeka, KS
On 01/14/2013 08:20 AM, Brian Helman wrote: ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Brian. I did this about a year ago. Mainly started with my Cisco switches and routers. I chose RADIUS because it was mostly supported by vendors and I had a free server available. I started with IAS (windows 2003 server) and have graduated to NPS (windows 2008 server) as my RADIUS server. It can be a bit difficult to configure properly, and I’m sure that the simplicity of my configuration has also helped.
In our shop, it’s usually an all or nothing(or minimal) thing. So most of our techs have privileged level access or minimal access to our network infrastructure. (We are small so everyone does just about everything.)
All that said, I created 2 groups in AD for each type of device. CiscoEdgeAdmins, CiscoEdgeViewers, CiscoRouterAdmins, etc. We keep a separate login for privileged use. Whenever I want to give someone access to a class of infrastructure device, I pop that user login into the group. To remove, I just take them out. They automatically lose access if the username is deleted. And those account creations and deletions are meticulously maintained.
On the switch, we did a lot of testing with RADIUS and fallback to local users. I had to set up RADIUS access on 3 levels. The first was Console, the second was HTTPS and the third was SSH. (We don’t support http or telnet access.) Once I found the mystical incantations that made all this work, I used RANCID to spread it around to all the devices. It all works. At that point I removed all the local users from my switches, except for one. This is one that can be used if the RADIUS server is down or not available via some kind of failure or there has been some kind of catastrophic configuration/ACL problem.
At first there was some concern, but now everyone loves the system. Except when we have to go looking for the local userid’s password as it’s very long (to be used only in an emergency). J
And of course, it isn’t perfect. We upgraded some of our devices to a new switch code, and the first thing we noticed was that RADIUS support for the HTTPS interface got hosed. So on those devices we added a local user back in with the hope one day that we can get firmware that fixes this issue.
All in all, I think the solution has both negatives and positives, but the overall solution was a positive for us.
Chris
CIS Security Director
The Principia
From: Brian Helman [mailto:bhelman@SALEMSTATE.EDU]
Sent: Monday, January 14, 2013 8:21 AM
Subject: login access to network devices - local or central db?
Hey everyone,
We’re opening discussions in our network group on whether we should be using local accounts or AD/LDAP/RADIUS to access the management consoles of our network gear. I see pros and cons of both.
Opinions?
-Brian
____________________________________
Brian Helman, M.Ed | Director, ITS/Networking Services | (: 978.542.7272
Salem State University, 352 Lafayette St., Salem Massachusetts 01970
GPS: 42.502129, -70.894779
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.