[7213] in Kerberos
Re: keberos authentication with tacacs ?
daemon@ATHENA.MIT.EDU (Yves Touchette)
Sat May 4 03:30:58 1996
Date: Sat, 4 May 1996 03:15:19 -0400 (EDT)
From: Yves Touchette <yvest@server0.accent.net>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: kerberos@MIT.EDU
In-Reply-To: <tslloja5jrs.fsf@tertius.mit.edu>
You read me when you metion cisco ... we are setting up a dial-up isdn
pool on cisco 4700 with mbri modules ...
We are also changing all the authentication process we use because or
network is getting pretty big and a central kerberos db with slave
server's is a solution that make's the most sense ...
I know cisco says that the latest version of IOS support radius but we
had number of problems with it ... and we saw a bug report by cisco that
mention that after 255 call to radius the authentication stop working ...
we need a stable authentication/accounting on those boxes so TACACS is, i
beleave the way to go.
Do you think that the fact that i am using switched ethernet protects me
against packet sniffer ... What other security issue should i be concern
about the fact that the userid/passwd are send in clear text ?
Thanks alot,
Yvest
Network Operation Group
yvest@total.net http://www.total.net
Total Net. Montreal,Ca.
A baby is God's opinion that the world should go on.
-- Carl Sandburg
On 3 May 1996, Sam Hartman wrote:
> >>>>> "Yves" == Yves Touchette <yvest@accent.net> writes:
>
> Yves> Anybody could help me out setting a tacacs server that
> Yves> authenticate via keberos ?
>
> You can't really do this. The TACACS protocol only supports
> cleartext password authentication, so it cannot be authenticated with
> Kerberos.
>
> This may not be what you mean; you can check users' passwords
> against a Kerberos database using a modified TACACS server. You
> really shouldn't do that for security reasons, but you may need/want
> to do it anyway in some configurations. Be aware that you will lose
> many of the advantages of Kerberos in many environments if you choose
> this option. (Sadly, this is one of a limited selection of options
> with production versions of Cisco software; the future looks brighter,
> however.)
>
> Why don't you describe what you're really trying to do and
> give enough details about your environment that we know what security
> risks are reasonable for you and what options you have.Do you consider
> your network secure? How soon do you need an solution? What
> hardware/software do you have?
>
>
>
> Yves> Yvest Network Operation Group yvest@total.net
> Yves> http://www.total.net Total Net. Montreal,Ca.
>
> Yves> A baby is God's opinion that the world should go on. --
> Yves> Carl Sandburg
>
>
>
