Authenticating against LDAP or Radius directly is indeed an option for some.
For others that is too buggy and is not fully supported or working for many authentication options... I have just spent a few days working with some configs I drummed up and with TAC to get LDAP authentication working for AD group membership directly to MS active directory via LDAP.
Its buggy and not always certain to say the least.
What you have to realize is often AAA is more than just the first "A" (Authentication).
For command authorization and Accounting you are often forced into a Cisco Secure ACS model.
Many big companies (and smaller ones too) have different command sets available after authentication to different levels of administrators (do you really want your helpdesk guys having the "reload" command on certain routers :)
While you can of course implement a basic policy using local priviledge commands in IOS, there are still many reasons you would want an ACS server.
1. Time is money - how much valuable time are you and your organization going to spend getting things working that come pre-built into ACS (such as NAR, downloadable ACL's)
I dont know about you but about 1 week of my time is worth the price of an ACS server. How many weeks would a Client want to wait for me to script together some things in Freeradius, FreeTacacs or Active directory before we realized it might not be possible to get all the functionality from ACS.
2. ACS decreases complexity required to effect complex policies and changes to an organization - imagine how long it would take to change some command shell sets on 500 routers? Sure you can fire off a script, and see how that goes, but for some this is not an option (try telling your bosses at JP Morgan Chase bank your going to change all their core routers with a shell script and see how long you last there)
In closing LDAP authentication is an emerging option but not a proven one in many Cisco devices/appliances. But like Radius is really just for a Yes/No answer, not a complex set of restrictions and lists of rules applied on the fly.
Of course I'm open to being proven wrong, but I have never seen anyone limit a user to a series of IOS commands using native authorization against RADIUS/LDAP to Active Directory.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :