4

I'm trying to find a way to centralize user management & authentication for a large collection of Windows & Linux Servers, including network devices (Cisco, HP, Juniper). Options include RADIUS/LDAP/TACACS/... Idea is to keep track with staff changes, and access towards these devices.

Preferably a system that is compatible with both Linux, Windows & those network devices. Seems like Windows is the most stubborn of them all, for Linux & Network equipment it's easier to implement a solution (using PAM.D for instance).

Should we look for an Active Directory/Domain Controller solution for Windows? Fun sidenote; we also manage client systems, that are often already in a domain. Trust-relationships between Domain Controllers isn't always an option for us (due to client security restrictions).

I'd love to hear fresh ideas on how to implement such a centralized authentication "portal" for those systems.

Ryan Fisher
  • 2,218
  • 16
  • 13
Mojah
  • 876
  • 1
  • 9
  • 13

5 Answers5

4

There is a solution for this. It's called KerberosV5. It does all you need, and there is good support from Windows, Linux, Unix and network devices. Have a look at it.

pehrs
  • 8,749
  • 29
  • 46
  • 2
    Unfortunately, Kerberos authentication is not easy to configure with every platform, and is not always given the same level of support in various applications. Also, using Kebreros doesn't resolve the "authorization" and "auditing" pieces of an AAA solution. It sounds like you really need an "identity management" solution. *** But Kerberos should DEFINITELY be the basis for the authentication! – Ryan Fisher Apr 06 '10 at 16:39
  • Kerberos authentication is usually really straight-forward. It's the authorization issue that makes using an AD server the authentication server for your unix boxes annoying. You need to use NIS or pam_ldap or samba or some other glue. – chris Apr 06 '10 at 19:14
4

Plenty of things can authenticate against an AD domain directly using kerberos.

You can manage authorization using ldap, if you enable anonymous binds on the AD servers.

You can also configure an AD server to also be an NIS server. I'm in the middle of doing that, and it doesn't seem trivial, but it also doesn't seem really hard. NIS + Kerberos neatly solves the issue of antiquated systems that may not have pam_ldap modules directly.

Lastly, you can use an AD server as a RADIUS server, which neatly solves the "access to random network / RAS devices" issue.

I'm mostly a unix guy, and lots of the configuration you need to do on an AD server to get it to do this stuff is frustrating, but it is really hard to argue with the one-stop shopping you get with AD. Microsoft may have had a lot of stinkers over the years, but Active Directory is really fantastic technology.

chris
  • 11,784
  • 6
  • 41
  • 51
1

Thanks for the reply on Kerberos V5, that's definately looking promising.

Another tool, by Microsoft themselves, is Forefront Identity Manager (FIM), which allows identify management without placing the servers in a domain.

http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx

Mojah
  • 876
  • 1
  • 9
  • 13
0

http://kbase.redhat.com/faq/docs/DOC-4735

http://kbase.redhat.com/faq/docs/DOC-3639

above kbase doc has example which may help!!

Rajat
  • 3,329
  • 21
  • 29
0

I'm wary of posting a suggestion for a commercial tool, but here we go... FoxT's "BoKS Access Control" offers you fine-grained control over user accounts and network access permissions for both Unix, Linux, VMWare and Windows systems.

Unfortunately it does not support networking equipment.