Cisco ASA - LDAP versus Radius

Posted on 2010-01-08
Medium Priority
Last Modified: 2013-12-19
If the decision needs to be taken to choose between the integration of Cisco's ASA with either the Windows 2003 based LDAP which is on the inside interface or an NPS/IAS configured on Windows 2003/ 2008 member server to emulatate 802.1x (radius) authentication, what should be the deciding factors based upon, ease of configuration, security and future scalability?

Pls advise!!
Question by:fahim
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Expert Comment

ID: 26263472
Microsoft NPS/IAS has this benefits:

- is a implicit trusted object in active directory and the configuration is simple
- is best for scalability because is a centralized object
- is natively ready for NAC/NAP future implementation
- simplify jobs for systems administrators (infrastructure backup,generic troubleshooting)

Author Comment

ID: 26268727
Thanks for the reply marc.

Need to undertsand the first two points a bit more.

If we maintain that IAS has an implicit trust in AD then so is the secure-LDAP connection to my AD. The part of configuration is simple with IAS is udnerstandable.

Also, pls explain the part about 'best for scalability' because of being a centralised object?

Does opening up of an sLDAP port via my firewall to my Domain controller has it's security hazards?

Also, would it be a good scenario to configure IAS/NPS on my domain controllers for easy access to 'GC' vis a vis creating it's own member server in the Domain?


Expert Comment

ID: 26269058
I have not time to reply in this moment. I reply this night. thaNKS . bYE

Accepted Solution

marcokrecic earned 2000 total points
ID: 26272687
the term centralized object is an improper term for published object in active direcctory.

ias is a member server in a domain and not a phisical switch so it is more flexible because gain all the advantages of domain membership and very well documented disaster recovery.

 With ias in radius proxy configuration you may add radius servers without change the network (phisical switch) configuration.

Insert a second IAS in a domain is a very simple operation.

Troubleshooting of ias in windows server environment benefits of a lot of advance tools,graphical interface and a very great support (ms technet). Many network vendors permit advance config only via command line.

With ias you can use ipsec to secure communications with dc in native environment.

in a very secure environment with pki you can benefit of ad full integration and certificate autoenrollment feature.

My suggestion is to use ias/nps as a radius for 802.1x purposes.


Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question