Cisco Secure ACS vs Windows IAS

Answered Question
Jun 24th, 2007
User Badges:

Hi All,


I need to deploy an AAA solution for the following situations.


1) Remote access via Cisco VPN Clients.

2) AAA for wireless windows PC's in remote locations

3) AAA for Cisco switches and Routers in remote locations

4) Authentication against a windows domain


The Windows IAS solution would be virtually free as we already have Windows 2003 domain controllers at each remote site. However, Cisco Secure ACS could also be an option. Does any ne have experience in both of these?


What are the positives\negatives of each? and limitations?


Does anyone have any informatin on case studys etc comparing the two?


Your help is greatly appreciated.


Kind Regards,


Andy


PS: There is a limitation in Windows 2003 Standard edition that limits the number of Radius clients to 50. Although we have more than 50 potential clients in the company, no site has more than 50 in total.


Correct Answer by rochopra about 9 years 9 months ago

with MS IAS you can implement solution only using RADIUS protocol

ACS will provide you functionality to use RADIUS as well as TACACS.


Looking at the 4 solutions you want to implement, only 3rd solution will be a bit easier using TACACS, but again that it not something which you cannot implement using Radius.


About the Radius client limitation, ACS provides you a big database which you can use for clients, so limitation of 50 clients. Plus a lot many features you will love to incorporate in your network like NAP/NAC implementation made easier.


So you have to check if you have the required budget you can go for ACS, else IAS can work well for all the solutions (except radius client limitation, which I m sure MS can provide you some workaround).


following link can help you with sales information of ACS:

http://wwwin-nmbu.cisco.com/thevault/files/1027/5/ACS4.1-Sales-Guide%20April%204%202007.htm

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
JBDanford2002 Sun, 06/24/2007 - 14:12
User Badges:

Here is a Comparison of TACACS and Radius.


http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/secsols/aaasols/c262c1.htm



I have used both. The mose convenient in the past for me was RADIUS. This was because users could authenticate via AD and new accounts would not have to be created and additional software purchase was not required. TACACS is more secure and can finer control over cisco device authorization and accounting. RADIUS is probably the easiest to setup and deploy if you have existing servers in place. If you have more than one server you could configure redundancy. Again less cost for user authentication. For asset management I would use TACACS because of the authorization features not given by RADIUS.

Correct Answer
rochopra Mon, 06/25/2007 - 04:22
User Badges:
  • Cisco Employee,

with MS IAS you can implement solution only using RADIUS protocol

ACS will provide you functionality to use RADIUS as well as TACACS.


Looking at the 4 solutions you want to implement, only 3rd solution will be a bit easier using TACACS, but again that it not something which you cannot implement using Radius.


About the Radius client limitation, ACS provides you a big database which you can use for clients, so limitation of 50 clients. Plus a lot many features you will love to incorporate in your network like NAP/NAC implementation made easier.


So you have to check if you have the required budget you can go for ACS, else IAS can work well for all the solutions (except radius client limitation, which I m sure MS can provide you some workaround).


following link can help you with sales information of ACS:

http://wwwin-nmbu.cisco.com/thevault/files/1027/5/ACS4.1-Sales-Guide%20April%204%202007.htm

serotonin888 Mon, 07/02/2007 - 03:16
User Badges:

Thanks to all for the replies. They were both very helpfull. I have decided to run an evaluation into the suitability of using Windows IAS for authentication of VPN users.


Of course id love to implement ACS but i cannot justify the exepnse (at present).


Cheers


Andy

Actions

This Discussion