cisco aaa/windows radius server

I have used TACACS+ for AAA for Cisco Equipment. I'm thinking about moving AAA it to a Windows Radius server. Does anyone have any experience on this, and is this a good idea?
ShadowColossusAsked:
Who is Participating?
 
rauenpcConnect With a Mentor Commented:
Radius might be able to do that, but tacacs is much better suited to authorize command sets.
0
 
rauenpcCommented:
I mostly use Radius, and it works just as well as TACACS+, although there are differences in what you can all do.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

It can be simple pass/fail user authentication for VPN/SSH, or it can even pass back information to specify which vpn group-policy should be applied to a user based on AD group membership. There are many other scenarios, but in the end it will be up to you to do your due diligence to research Radius with the features you are looking to achieve.
0
 
gcl_hkCommented:
As my understanding, TACACS authorization can do more flexible on restriction. for example, user A able to apply "shutdown" command and user B does not. (its just an example, actually can restrict a list of command)

Please correct me if I am wrong.
0
 
ShadowColossusAuthor Commented:
My setup for TACACS+ is used for AAA. So under authorization I do have an "acl" that permits what commands can be entered by certain users. I also have accounting which collects which commands entered by a user. I'm not familiar if Windows Radius can perform these task.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.