Central Authentication For Windows, Linux, Network Devices
Solution 1
There is a solution for this. It's called KerberosV5. It does all you need, and there is good support from Windows, Linux, Unix and network devices. Have a look at it.
Solution 2
Plenty of things can authenticate against an AD domain directly using kerberos.
You can manage authorization using ldap, if you enable anonymous binds on the AD servers.
You can also configure an AD server to also be an NIS server. I'm in the middle of doing that, and it doesn't seem trivial, but it also doesn't seem really hard. NIS + Kerberos neatly solves the issue of antiquated systems that may not have pam_ldap modules directly.
Lastly, you can use an AD server as a RADIUS server, which neatly solves the "access to random network / RAS devices" issue.
I'm mostly a unix guy, and lots of the configuration you need to do on an AD server to get it to do this stuff is frustrating, but it is really hard to argue with the one-stop shopping you get with AD. Microsoft may have had a lot of stinkers over the years, but Active Directory is really fantastic technology.
Solution 3
Thanks for the reply on Kerberos V5, that's definately looking promising.
Another tool, by Microsoft themselves, is Forefront Identity Manager (FIM), which allows identify management without placing the servers in a domain.
http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx
Related videos on Youtube
06 : 08
18 : 08
30 : 05
01 : 21 : 35
02 : 50
Slayer
Updated on September 17, 2022Comments
-
Slayer over 1 year
I'm trying to find a way to centralize user management & authentication for a large collection of Windows & Linux Servers, including network devices (Cisco, HP, Juniper). Options include RADIUS/LDAP/TACACS/... Idea is to keep track with staff changes, and access towards these devices.
Preferably a system that is compatible with both Linux, Windows & those network devices. Seems like Windows is the most stubborn of them all, for Linux & Network equipment it's easier to implement a solution (using PAM.D for instance).
Should we look for an Active Directory/Domain Controller solution for Windows? Fun sidenote; we also manage client systems, that are often already in a domain. Trust-relationships between Domain Controllers isn't always an option for us (due to client security restrictions).
I'd love to hear fresh ideas on how to implement such a centralized authentication "portal" for those systems.
-
Ryan Fisher about 14 yearsUnfortunately, Kerberos authentication is not easy to configure with every platform, and is not always given the same level of support in various applications. Also, using Kebreros doesn't resolve the "authorization" and "auditing" pieces of an AAA solution. It sounds like you really need an "identity management" solution. *** But Kerberos should DEFINITELY be the basis for the authentication! -
chris about 14 yearsKerberos authentication is usually really straight-forward. It's the authorization issue that makes using an AD server the authentication server for your unix boxes annoying. You need to use NIS or pam_ldap or samba or some other glue.
