Hi, Just a note on this one. Within our organisation we have a number of systems, freeradius etc so we decided to consolidate and use Microsoft's Network Policy Server with RADIUS to authenticate against Active Directory. It's all built in to 2008. You can set certain users, or groups to have access to certain devices etc. We're using this against our 7200 series edge routers, core 3750 switches and numerous Cisco ASAs (anything that supports radius). You can also set access times which comes in handy for rancid. It's not everyone's cup of tea being Microsoft, but it works well for us and we cannot fault it.
James Greig -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Alan Buxey Sent: 26 February 2010 18:32 To: Ryan Lambert; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] SecureACS Appliance & AD Authentication Personally i'd go for freeradius or radiator RADIUS server for the backend policy/logic - both work well with AD and handle many EAP types . Proxying etc --- original message --- From: "Ryan Lambert" <thirdfrl....@gmail.com> Subject: [c-nsp] SecureACS Appliance & AD Authentication Date: 26th February 2010 Time: 5:11:16 Hi everyone, Figure this is as good a place as any to reach out and see if anyone has some experience with this. I'm currently debating whether I use LDAP or a Remote Agent for Windows with my SecureACS Appliance to authenticate network users via AD. I've read through the documentation a bit, but I still have a couple questions: - If I use the remote agent, is there a way I can only allow specific users in an AD domain to log onto network devices? For obvious reasons I would not want to allow each and every user in the domain to access my routers/switches via SSH. - Is there a method to doing this same restriction via LDAP? - As a network admin with little/no access to the actual AD admin snap-in, I'd much PREFER to have all of this in my control, with the exception of obviously installing the Agent software on a member server if that's the route we eventually go. Thanks in advance. -Ryan _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/