AAA Functionality  for CISCO Devices

Posted on 2011-10-06
Medium Priority
Last Modified: 2012-05-12
hi experts,

i got around 50 CISCO devices including Switches, Routers, IDS, IPS, CISCO WORKS.

want to achieve AAA.

what are possible solutions (FREE and Commercial) can be possible, i am already using LDAP for VPN users.

as i know TACACS + is cisco proprietary, what else is there
Question by:osloboy
  • 4
  • 3
LVL 35

Expert Comment

by:Ernie Beek
ID: 36923325
Well, of course you have LOCAL (but you don't want that for 50 devices :), RADIUS (which comes standard on for example windows servers: IAS or NPS), SDI (an RSA proprietary), LDAP (but you know that), NT domain (for use with older domains), Kerberos and HTTP form (can only be used for VPN user aythentication).
Have a look at: http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/aaasetup.html#wp1280273

Author Comment

ID: 36927529

please give some more details as ENGLISH is mixed up

1) Kerberos and HTTP form (can only be used for VPN user aythentication)???? is it not recmonded   or at all we can not use it
LVL 35

Expert Comment

by:Ernie Beek
ID: 36927601
Not quite, did you have a look at the link I provided? It shows a nice overview.
HTTP form can only be used for VPN user authentication. so that is all you can use it for.
Kerberos can be use for authentication of VPN users, Firewall sessions and Administrators. But not for authorization or accounting.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.


Author Comment

ID: 36930127
its clear, thanks

just a layman thought.

as TACACS+ is commercial, and in case of less $, what can be your Second best choice.
LVL 35

Accepted Solution

Ernie Beek earned 2000 total points
ID: 36930143
I'd say RADIUS. That gives you the most options and that is built in in windows servers: IAS (2003) or NPS (2008). So no need for extra $$ :)

Author Closing Comment

ID: 36930379
LVL 35

Expert Comment

by:Ernie Beek
ID: 36930405
You're welcome, glad I could help :)

Thx for the points.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question