06-02-2014 12:55 PM - edited 03-10-2019 09:45 PM
An ACS server is too pricey and overkill for our smallish network. What alternatives do I have if I want my Microsoft AD to authenticate admin and/or privileged access to Cisco switches, routers and firewalls?
Thanks,
Diego
Solved! Go to Solution.
06-03-2014 10:57 AM
Hi Diego-
Absolutely you can use AD groups. Take a look at the link below:
http://aplustoccie.blogspot.com/2012/02/how-to-make-nps-your-radius.html
Thank you for rating helpful posts!
06-02-2014 02:24 PM
Have you looked at Cisco ISE? It supports Radius and if you just need device administration you can get the base licenses only.
If that is too expensive, you can look into using Microsoft's NPS which would come free with certain versions of the Server software. But the interface and logging is nowhere near as nice as ISE/ACS.
Thank you for rating helpful posts!
06-03-2014 10:38 AM
Hello Neno,
I do have NPS Windows server available. If I use this will I be able to use Windows AD groups to determine who can login to my Cisco devices? For example, I might want to limit Cisco logins to "Domain Admin" group or similar.
Rgds,
Diego
06-03-2014 10:57 AM
Hi Diego-
Absolutely you can use AD groups. Take a look at the link below:
http://aplustoccie.blogspot.com/2012/02/how-to-make-nps-your-radius.html
Thank you for rating helpful posts!
06-04-2014 12:40 AM
hi
just to add further NPS (Windows) is a good alternate and check the link for configuration
http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
http://www.petenetlive.com/KB/Article/0000685.htm
*******Do rate helpful links********************
06-04-2014 05:03 AM
Thanks guys. Those are all excellent references.
Rgds,
Diego
06-18-2014 09:12 PM
Neno:
What about if I need to have two different router admin groups? For instance I need to setup HQ Router Admins and Branch Router Admins. So if a member of Branch Router Admins connects to a HQ Router they are denied access since they can only administer branch office routers. At the same time I would like members of the HQ Router Admins to be able to admin any router in the enterprise.
I was hoping I could link specific RADIUS clients to specific network polices but that doesn't seem to be available. Any ideas?
Thanks,
Diego
06-19-2014 11:48 PM
Hi Diego. Good question but unfortunately I don't know the answer to it. With ACS and ISE it is pretty easy as you can create local NAD groups (locations, device type, etc). Then you can reference these groups in your AAA policies.
I suspect something similar can be done in NPS but it will require some testing and poking around :) Look for a way to distinguish network devices when you are adding them as clients to NPS.
06-20-2014 04:06 AM
Thank you Neno, I appreciate your input.
Diego
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: