Hello Neno,

I do have NPS Windows server available.  If I use this will I be able to use Windows AD groups to determine who can login to my Cisco devices? For example, I might want to limit Cisco logins to "Domain Admin" group or similar.

Rgds,

Diego

hi

  just to add further NPS (Windows) is a good alternate and check the link for configuration

http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/

http://www.petenetlive.com/KB/Article/0000685.htm

*******Do rate helpful links********************

Thanks guys.  Those are all excellent references.

Rgds,

Diego

Neno:

What about if I need to have two different router admin groups?  For instance I need to setup HQ Router Admins and Branch Router Admins.  So if a member of Branch Router Admins connects to a HQ Router they are denied access since they can only administer branch office routers.  At the same time I would like members of the HQ Router Admins to be able to admin any router in the enterprise.

I was hoping I could link specific RADIUS clients to specific network polices but that doesn't seem to be available.  Any ideas?

Thanks,

Diego

Hi Diego. Good question but unfortunately I don't know the answer to it. With ACS and ISE it is pretty easy as you can create local NAD groups (locations, device type, etc). Then you can reference these groups in your AAA policies. 

I suspect something similar can be done in NPS but it will require some testing and poking around :) Look for a way to distinguish network devices when you are adding them as clients to NPS. 

Thank you Neno, I appreciate your input.

Diego