Re: Administrative account access control

["Niedens, Travis" <Travis_Niedens () REDLANDS EDU>]

We use Windows server for Cisco ACS auth and I have even labbed Windows 2003
Server and done TLS-PEAP with it; it works pretty flawlessly.  Personally,
I'd rather use keyfob / SecurID to authenticate.  I'm used to this
environment and prefer it.  I guess one benefit is that most admins that
deploy it run it off of Solaris, however, it can be costly. Most modern
NOS's can authentication for you.  The choice you make really is dependant
upon your environment (support, budget, comfort, etc.)

Travis Niedens
Network Manager
University of Redlands

Phone: (909) 748-6328
Fax:     (909) 793-2029
VoIP Phone: (909) 799-4778
VoIP Extension: 4778


-----Original Message-----
From: Anthony Schroeder [mailto:aschroeder () GW HAMLINE EDU]
Sent: Monday, January 26, 2004 7:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Administrative account access control

i don't want to start a NOS war, but the answer is don't get rid of the
netware systems.  we have roughly 35 intel servers (netware and active
directory) and about 8 solaris machines, as well as quite a few cisco
switches that are all administered by 3 people.

nds runs the whole thing...we have an automatic import process from our
HR/student record system that creates the accounts as the person is
hired/admitted to school, and disables the account as they leave.
we use netware as our file/print
we have connectors to active directory and NIS that provides account
information to the other systems (including passwords/etc).
we use cisco's access control server that pulls the authentication
information from NDS to allow certain people to log in with different
priveledges to the switches - the person logs in as himself, rather than a
generic administrative user

novell is coming out with some web-based self-password administration
mechanism (to handle forgotten passwords, etc).

it all works pretty slick.

anthony.

> > > STEVE () BUMAIL BRADLEY EDU 1/23/2004 1:22:05 PM >>>
We have about 30 servers and large numbers of routers and switches that are
administrated by roughly a dozen people.



Naturally, we want a high secure environment for administrative access.
All these devices have different, difficult passwords.  It is not impossible
to remember all the passwords.  Also, we want to avoid the situation where
we can't fix a problem because no one is around who knows a particular
password.



I have been looking for solutions to provide secure access to administer
resources, provide a log of access, allow us to grant or restrict access
quickly and easily, etc.



I've been talking to Priva Technologies, but wonder if others have this same
problem and what they have done to address it.  What vendor solutions are
available?



Our environment is CISCO network, and VPN.  We have a Sun1 LDAP system and
also use Active Directory.  We have some Netware, but it is on the way out.



Thanks for any insights you can provide,

Steve Patrick,

Bradley University




**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.