I'm involved in an enterprise deployment of Cisco SSL VPN and NAC. A little background info...
This SSL service will host the customer's own remote access as well as other partners. All partners will have active directory accounts within the customers domain but will not be using laptops attached to the domain.
The customer is utilizing both SecurID and domain authentication to access the network.
Today I currently have the following configured:
- RSA SecurID Authentication
- LDAPS authentication against a Global Catalogue server on TCP/3269
- Authorization to the LDAP for group matching
Is there any advantage to using Kerberos authentication instead of LDAPS? To use Kerberos do the workstations need to be on the domain to authenticate?
I also have a requirement to use password management - users must be able to change their passwords upon expiry or when their password is reset. Can this be done with Kerberos? Speaking with Cisco, it doesn't appear to be possible with LDAP if I'm using a Global Catalogue server. Can this be confirmed?
Thanks for any help.