An ACS server is too pricey and overkill for our smallish network. What alternatives do I have if I want my Microsoft AD to authenticate admin and/or privileged access to Cisco switches, routers and firewalls?
Solved! Go to Solution.
Have you looked at Cisco ISE? It supports Radius and if you just need device administration you can get the base licenses only.
If that is too expensive, you can look into using Microsoft's NPS which would come free with certain versions of the Server software. But the interface and logging is nowhere near as nice as ISE/ACS.
Thank you for rating helpful posts!
I do have NPS Windows server available. If I use this will I be able to use Windows AD groups to determine who can login to my Cisco devices? For example, I might want to limit Cisco logins to "Domain Admin" group or similar.
just to add further NPS (Windows) is a good alternate and check the link for configuration
*******Do rate helpful links********************
What about if I need to have two different router admin groups? For instance I need to setup HQ Router Admins and Branch Router Admins. So if a member of Branch Router Admins connects to a HQ Router they are denied access since they can only administer branch office routers. At the same time I would like members of the HQ Router Admins to be able to admin any router in the enterprise.
I was hoping I could link specific RADIUS clients to specific network polices but that doesn't seem to be available. Any ideas?
Hi Diego. Good question but unfortunately I don't know the answer to it. With ACS and ISE it is pretty easy as you can create local NAD groups (locations, device type, etc). Then you can reference these groups in your AAA policies.
I suspect something similar can be done in NPS but it will require some testing and poking around :) Look for a way to distinguish network devices when you are adding them as clients to NPS.