[c-nsp] SecureACS Appliance & AD Authentication

Scott Keoseyan scott at labyrinth.org
Fri Feb 26 12:37:59 EST 2010

Yes Ryan, you can restrict access based on LDAP or AD groups to  
specific groups of devices and access levels, however, I would  
STRONGLY recommend the direct LDAP approach, using LDAPS with  
certificates, as opposed to the AD plugin, which has been rife with  
memory leaks and other stability issues for years now.  I have lost a  
measurable amount of sleep over these issues in the past.

If you need to use AD, run the Windows version on a Windows server.


On Feb 26, 2010, at 12:09 PM, Ryan Lambert wrote:

> Hi everyone,
> Figure this is as good a place as any to reach out and see if anyone  
> has
> some experience with this.
> I'm currently debating whether I use LDAP or a Remote Agent for  
> Windows with
> my SecureACS Appliance to authenticate network users via AD. I've read
> through the documentation a bit, but I still have a couple questions:
> - If I use the remote agent, is there a way I can only allow  
> specific users
> in an AD domain to log onto network devices? For obvious reasons I  
> would not
> want to allow each and every user in the domain to access my
> routers/switches via SSH.
> - Is there a method to doing this same restriction via LDAP?
> - As a network admin with little/no access to the actual AD admin  
> snap-in,
> I'd much PREFER to have all of this in my control, with the  
> exception of
> obviously installing the Agent software on a member server if that's  
> the
> route we eventually go.
> Thanks in advance.
> -Ryan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list