[c-nsp] SecureACS Appliance & AD Authentication
James Greig
james at mor-pah.net
Fri Feb 26 13:41:20 EST 2010
Hi,
Just a note on this one. Within our organisation we have a number of
systems, freeradius etc so we decided to consolidate and use Microsoft's
Network Policy Server with RADIUS to authenticate against Active Directory.
It's all built in to 2008. You can set certain users, or groups to have
access to certain devices etc. We're using this against our 7200 series
edge routers, core 3750 switches and numerous Cisco ASAs (anything that
supports radius). You can also set access times which comes in handy for
rancid. It's not everyone's cup of tea being Microsoft, but it works well
for us and we cannot fault it.
James Greig
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alan Buxey
Sent: 26 February 2010 18:32
To: Ryan Lambert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] SecureACS Appliance & AD Authentication
Personally i'd go for freeradius or radiator RADIUS server for the backend
policy/logic - both work well with AD and handle many EAP types . Proxying
etc
--- original message ---
From: "Ryan Lambert" <thirdfrl.nsp at gmail.com>
Subject: [c-nsp] SecureACS Appliance & AD Authentication
Date: 26th February 2010
Time: 5:11:16
Hi everyone,
Figure this is as good a place as any to reach out and see if anyone has
some experience with this.
I'm currently debating whether I use LDAP or a Remote Agent for Windows with
my SecureACS Appliance to authenticate network users via AD. I've read
through the documentation a bit, but I still have a couple questions:
- If I use the remote agent, is there a way I can only allow specific users
in an AD domain to log onto network devices? For obvious reasons I would not
want to allow each and every user in the domain to access my
routers/switches via SSH.
- Is there a method to doing this same restriction via LDAP?
- As a network admin with little/no access to the actual AD admin snap-in,
I'd much PREFER to have all of this in my control, with the exception of
obviously installing the Agent software on a member server if that's the
route we eventually go.
Thanks in advance.
-Ryan
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list