I recently implemented Downloadable Access Lists for VPN users in our Cisco PIX & IAS (Internet Authentication Service). We have an AD domain, VPN users are authenticating against AD Integrated IAS and according to windows group membership, they get their ACLs that are defined in AV Pairs.Works great.
Now I want to implement AAA for our inside interface clients, achieve results similar to above. Want to restrict traffic flow by Active Directory Users or Active Directory Groups. To remind, not for VPN users!, want to implement for users located in inside interface accessing resources on outside or DMZ interface.
The question is, is IAS alone enough? Or should I install TACACS and disable IAS? Or should I implement CSACS?