Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS alternatives

An ACS server is too pricey and overkill for our smallish network.  What alternatives do I have if I want my Microsoft AD to authenticate admin and/or privileged access to Cisco switches, routers and firewalls?

Thanks,

Diego

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Diego-Absolutely you can

Hi Diego-

Absolutely you can use AD groups. Take a look at the link below:

http://aplustoccie.blogspot.com/2012/02/how-to-make-nps-your-radius.html

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
8 REPLIES
Cisco Employee

Have you looked at Cisco ISE?

Have you looked at Cisco ISE? It supports Radius and if you just need device administration you can get the base licenses only.

If that is too expensive, you can look into using Microsoft's NPS which would come free with certain versions of the Server software. But the interface and logging is nowhere near as nice as ISE/ACS.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Hello Neno,I do have NPS

Hello Neno,

I do have NPS Windows server available.  If I use this will I be able to use Windows AD groups to determine who can login to my Cisco devices? For example, I might want to limit Cisco logins to "Domain Admin" group or similar.

Rgds,

Diego

Cisco Employee

Hi Diego-Absolutely you can

Hi Diego-

Absolutely you can use AD groups. Take a look at the link below:

http://aplustoccie.blogspot.com/2012/02/how-to-make-nps-your-radius.html

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
Silver

hi  just to add further NPS

hi

  just to add further NPS (Windows) is a good alternate and check the link for configuration

http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/

http://www.petenetlive.com/KB/Article/0000685.htm

*******Do rate helpful links********************

New Member

Thanks guys.  Those are all

Thanks guys.  Those are all excellent references.

 

Rgds,

Diego

New Member

Neno:What about if I need to

Neno:

What about if I need to have two different router admin groups?  For instance I need to setup HQ Router Admins and Branch Router Admins.  So if a member of Branch Router Admins connects to a HQ Router they are denied access since they can only administer branch office routers.  At the same time I would like members of the HQ Router Admins to be able to admin any router in the enterprise.

I was hoping I could link specific RADIUS clients to specific network polices but that doesn't seem to be available.  Any ideas?

 

Thanks,

Diego

Cisco Employee

Hi Diego. Good question but

Hi Diego. Good question but unfortunately I don't know the answer to it. With ACS and ISE it is pretty easy as you can create local NAD groups (locations, device type, etc). Then you can reference these groups in your AAA policies. 

I suspect something similar can be done in NPS but it will require some testing and poking around :) Look for a way to distinguish network devices when you are adding them as clients to NPS. 

Thank you for rating helpful posts!
New Member

Thank you Neno, I appreciate

Thank you Neno, I appreciate your input.

Diego

1323
Views
20
Helpful
8
Replies