• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2074
  • Last Modified:

Cisco ASA - LDAP versus Radius

If the decision needs to be taken to choose between the integration of Cisco's ASA with either the Windows 2003 based LDAP which is on the inside interface or an NPS/IAS configured on Windows 2003/ 2008 member server to emulatate 802.1x (radius) authentication, what should be the deciding factors based upon, ease of configuration, security and future scalability?

Pls advise!!
  • 3
1 Solution
Microsoft NPS/IAS has this benefits:

- is a implicit trusted object in active directory and the configuration is simple
- is best for scalability because is a centralized object
- is natively ready for NAC/NAP future implementation
- simplify jobs for systems administrators (infrastructure backup,generic troubleshooting)
fahimAuthor Commented:
Thanks for the reply marc.

Need to undertsand the first two points a bit more.

If we maintain that IAS has an implicit trust in AD then so is the secure-LDAP connection to my AD. The part of configuration is simple with IAS is udnerstandable.

Also, pls explain the part about 'best for scalability' because of being a centralised object?

Does opening up of an sLDAP port via my firewall to my Domain controller has it's security hazards?

Also, would it be a good scenario to configure IAS/NPS on my domain controllers for easy access to 'GC' vis a vis creating it's own member server in the Domain?

I have not time to reply in this moment. I reply this night. thaNKS . bYE
the term centralized object is an improper term for published object in active direcctory.

ias is a member server in a domain and not a phisical switch so it is more flexible because gain all the advantages of domain membership and very well documented disaster recovery.

 With ias in radius proxy configuration you may add radius servers without change the network (phisical switch) configuration.

Insert a second IAS in a domain is a very simple operation.

Troubleshooting of ias in windows server environment benefits of a lot of advance tools,graphical interface and a very great support (ms technet). Many network vendors permit advance config only via command line.

With ias you can use ipsec to secure communications with dc in native environment.

in a very secure environment with pki you can benefit of ad full integration and certificate autoenrollment feature.

My suggestion is to use ias/nps as a radius for 802.1x purposes.


Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now