Does Cisco have domain authentication change functionality?
What I mean is this. Say I want to change enable passwords on all 100 devices (switches routers firewalls) at our locations, you mean I have to ssh into each device and change them manually? What do people use? Does Cisco have some domain type setup so you can change credentials globally? 
Comments
-
tiersten
Member Posts: 4,505
TACACS+ and RADIUS. If they are all Cisco devices then use TACACS+. If you have a mixture then RADIUS will probably be better. -
redwarrior
Member Posts: 285
Most places, if they have that many devices to manage, use either Radius or TACACS+ for authentication. Not only do you get centralized administration and integration what whatever LDAP server scheme the place is already using for accounts, but you also can more easily see who did what and when beyond just a single account.
That being said, you could use a configuration management tool like Ciscoworks or Kiwi Cattools to update the passwords by pushing a config snippet to all the devices. Other than that, I can't think of any good way to do this. Any other ideas?
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog -
APA
Member Posts: 959
enable secret is local to the device...
With TACACS+ & I think RADIUS you can specify the enable password\secret to be the same as the users global password (Then based on their TACACS\RADIUS authorization levels they get the required access levels)
or you tell Tacacs+\Radius to force enable authentication based on the enable password configured on the device...
Easiest way to change this would be to script it or use a config manager like (Kiwi CatTools, RANCID etc)
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
You must have to configure each device (switch/router/etc) to use or point to the RADIUS server and or TACACS+ server using the local enable password right? and then do you configure the RADIUS/TACACS to accept
the devices based off of some id??? and where can I get info on how to set one up for say my home lab. I have like 12 devices be nice to have the kind of setup? is it expensive or where can I get info? thanks
-
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
RADIUS or TACACS brother. You can configure your devices to authenticate via RADIUS or TACACS, with a backup of LOCAL, which would THEN use the LOCAL enable password. I rarely, if ever, have to authenticate using the local enable password. This usually only occurs if the device is unable to reach my RADIUS box, which usually means the device has been removed from the network for service.
My RADIUS config has Network Admins at privilege level 15 and drops them directly to exec mode if they authenticate. I have a couple other privilege levels for people to light access ports. It works great....and I'm pretty sure I've got a post on the config if you dig a little.
I'll leave the digging for those interested. -
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
is it expensive or where can I get info? thanks
If you have a Win2K3 box up you just use IAS for RADIUS, which doesn't cost anything extra. There are several free TACACS services available but I think most of them run in the *nix realm. If you are mostly a Windows shop I recommend sticking with IAS for the sake of having competent admins available. I never come across *nix guys who really know what the heck they are doing. -
Forsaken_GA
Member Posts: 4,024
cisco_trooper wrote: »If you have a Win2K3 box up you just use IAS for RADIUS, which doesn't cost anything extra. There are several free TACACS services available but I think most of them run in the *nix realm. If you are mostly a Windows shop I recommend sticking with IAS for the sake of having competent admins available. I never come across *nix guys who really know what the heck they are doing.
Unix guys morons and Windows admins competent? That's a sentiment I don't see often
Personally, I don't want the windows guys mucking around with the authentication to my network gear. -
networker050184
Mod Posts: 11,962 Mod
Forsaken_GA wrote: »Unix guys morons and Windows admins competent? That's a sentiment I don't see often
Personally, I don't want the windows guys mucking around with the authentication to my network gear.
+1
In all my experiences the Unix admins have been a lot better then the Windows admins also. We trust the Unix admins to run our TACACS server. They only maintain the OS and hardware though. We run the TACACS portion.An expert is a man who has made all the mistakes which can be made. -
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
cisco_trooper wrote: »If you have a Win2K3 box up you just use IAS for RADIUS, which doesn't cost anything extra. There are several free TACACS services available but I think most of them run in the *nix realm. If you are mostly a Windows shop I recommend sticking with IAS for the sake of having competent admins available. I never come across *nix guys who really know what the heck they are doing.
Hey. Probably not worded properly. For the sake of simplicity I'm saying it easier to find Windows guys than *nix guys. I'll leave it at that. -
APA
Member Posts: 959
itdaddy look up the following
AAA(Authentication, Authorization & Accounting)
With Tac+ & Radius you need to specify the config to point the device to the actual authetnication server (This involves IP address, secret password between the devices and server etc..)
I've always used the same config as cisco trooper.... which is to have tacacs as my main auth type and a backup of local auth.
specific privilege levels for specific users..... and the local enable password is only used if the primary auth method is not available - thus resulting in local auth.
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
APA
Member Posts: 959
cisco_trooper wrote: »Hey. Probably not worded properly. For the sake of simplicity I'm saying it easier to find Windows guys than *nix guys. I'll leave it at that.
I still tend to disagree with this..... Windows guys are absolutely everywhere.... being majority GUI based everyone thinks they are Windows stars till you work with them and they suck....
I've gone from a full windows house to a full *nix\Sun house and the systems team I work alongside with now seriously know their stuff! 10 x better than the windows guys I had to work with at my old company.
I still don't like the idea of anyone playing with my network authentication servers though.... I like to be ontop of them, same with my monitoring etc.... However should there be a lil system issue I'm not to sure of, the guys are only a metre away...
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP -
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
I still tend to disagree with this..... Windows guys are absolutely everywhere.... being majority GUI based everyone thinks they are Windows stars till you work with them and they suck....
I've gone from a full windows house to a full *nix\Sun house and the systems team I work alongside with now seriously know their stuff! 10 x better than the windows guys I had to work with at my old company.
I still don't like the idea of anyone playing with my network authentication servers though.... I like to be ontop of them, same with my monitoring etc.... However should there be a lil system issue I'm not to sure of, the guys are only a metre away...
I agree with everything here. Here is what I'm saying, if you're in an all Windows environment, you probably don't have a hardcore *nix dude on staff. So if I had to pick in this situation, I'd rather have a crappy windows dude admin a windows box than I would have a crappy windows dude admin my *nix box. But I'm like you, no one touches my RADIUS or TACACs boxes, regardless.
