Re: ACS - AAA functions split over multiple Servers

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Nov 23 2006 - 08:36:38 ART

• Next message: Salman Abbas: "3550 QoS - Police problem"
• Previous message: Petr Lapukhov: "Re: ACS - AAA functions split over multiple Servers"
• Maybe in reply to: Tim: "ACS - AAA functions split over multiple Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Forgot to say, that you have corrently mentioned that this works only
with TACACS+, since it separates Auth and Author :) Clearl, RADIUS
lacks this feature.

2006/11/23, Petr Lapukhov <petr@internetworkexpert.com>:
>
> Tim,
>
> Actually, Authorization is performed by router (client) after
> Authentication.
> So it's up to client to decide if it should start authorization for access
> request.
>
> From TACACS+ point of view, it just receives AUTH/AUTHOR requests
> and responds as configured; There is no need for server to "keep state",
> e.g. know if actual user has been successfully authenticated.
>
> With RADIUS, there is no separate authorization phase; everything is
> encoded in Auth response;
>
> 2006/11/21, Tim <ccie2be@nyc.rr.com>:
> >
> > Hey Guys,
> >
> >
> >
> > I know the different AAA services can be split over multiple servers,
> > for
> > example, having Authentication on one server and Authorization on
> > another
> > server if Tacacs+ is being used.
> >
> >
> >
> > But, I have a couple Q's about how this works.
> >
> >
> >
> > I know that before the Authorization function can be done,
> > Authentication
> > must have already been done. So, assuming the Authen function is on one
> > server and the Author function is on another, how does the Authorization
> >
> > function know that Authen was successful when that takes place on a
> > different server?
> >
> >
> >
> > Also, are there any rules of thumb or Best Practices as to when these
> > services should be configured on separate servers? My assumption is
> > that
> > this will depend on how many users there are or how much strain is being
> > placed on the ACS but I have no idea at point that might be.
> >
> >
> >
> > Does anyone have any benchmarks or other ways to determine when
> > splitting
> > AAA functions across multiple servers might make sense?
> >
> >
> >
> > Thanks, Tim
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Salman Abbas: "3550 QoS - Police problem"
• Previous message: Petr Lapukhov: "Re: ACS - AAA functions split over multiple Servers"
• Maybe in reply to: Tim: "ACS - AAA functions split over multiple Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART