[7226] in Kerberos
Re: keberos authentication with tacacs ?
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon May 6 11:56:09 1996
To: joek@CyberSafe.com (Joe Kovara)
Cc: kerberos@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 06 May 1996 11:42:27 -0400
In-Reply-To: joek@CyberSafe.com's message of Sun, 05 May 1996 22:41:19 GMT
>>>>> "Joe" == Joe Kovara <joek@CyberSafe.com> writes:
Joe> yvest@server0.accent.net (Yves Touchette) in
Joe> comp.protocols.kerberos wrote:
>> I know cisco says that the latest version of IOS support radius
>> but we had number of problems with it ... and we saw a bug
>> report by cisco that mention that after 255 call to radius the
>> authentication stop working ... we need a stable
>> authentication/accounting on those boxes so TACACS is, i
>> beleave the way to go.
Joe> Cisco also supports Kerberos (V5). I'm not sure if this
Joe> release is out of early field test yet.
Not for anything useful yet. The code does not support
putting a service key on the router, so it doesn't actually buy you
much more security, because you can spoof the TGS reply. Also, AFAIK,
no authorization mechanism is provided to speak of in the current
code. i believe Cisco is aware of the limitations of their current
code and future versions will be much more useful. Also, the code is
still in early beta.
--Sam
