asked on

AAA Functionality for CISCO Devices

hi experts,

i got around 50 CISCO devices including Switches, Routers, IDS, IPS, CISCO WORKS.

want to achieve AAA.

what are possible solutions (FREE and Commercial) can be possible, i am already using LDAP for VPN users.

as i know TACACS + is cisco proprietary, what else is there

Ernie Beek

Well, of course you have LOCAL (but you don't want that for 50 devices :), RADIUS (which comes standard on for example windows servers: IAS or NPS), SDI (an RSA proprietary), LDAP (but you know that), NT domain (for use with older domains), Kerberos and HTTP form (can only be used for VPN user aythentication).
Have a look at: http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/aaasetup.html#wp1280273

osloboy

ASKER

erniebeek:

please give some more details as ENGLISH is mixed up

1) Kerberos and HTTP form (can only be used for VPN user aythentication)???? is it not recmonded or at all we can not use it

Ernie Beek

Not quite, did you have a look at the link I provided? It shows a nice overview.
HTTP form can only be used for VPN user authentication. so that is all you can use it for.
Kerberos can be use for authentication of VPN users, Firewall sessions and Administrators. But not for authorization or accounting.

osloboy

ASKER

its clear, thanks

just a layman thought.

as TACACS+ is commercial, and in case of less $, what can be your Second best choice.

ASKER CERTIFIED SOLUTION

Ernie Beek

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

osloboy

ASKER

great

Ernie Beek

You're welcome, glad I could help :)

Thx for the points.