Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions


2461 Views 4 Replies Latest reply: May 3, 2012 3:34 AM by Daniel RSS

Currently Being Moderated

RADIUS authentication vs Active Directory/LDAP restrict user access?

May 2, 2012 2:28 AM

Daniel 239 posts since
Jul 21, 2011



This questions is probably out of topic regarding CISCO, but is there a way to restrict which users have access to which switches globally?

I mean that most configurations i see *all* admins put in the same AD-group and have their usernames/passwords authenticated against AD, with the same privileges.


Is there an easier way to restrict access down even further so that the users in the AD-group can authenticate and login to the switch, but then filter different "views" they have access to globally? I've seen this at some of the bigger ISPs but they use stand-alone software to accomplish this, is it possible to have a global administration of the views and at the same time authenticate through AD/LDAP?


I have done extensive research on the topic but found no good information. Basically i just want RADIUS/AD authentication and access-views to be administrated globally instead of per-device....the authentication is the easy part.


Any ideas are greatly apreciated!



  • Cristian F. Stoica 361 posts since
    Aug 7, 2011

    Daniel, you can use ACS with TACACS+ and pass the authentication to AD while still retaining control over the router commands.

    Join this discussion now: Login / Register
  • Cristian F. Stoica 361 posts since
    Aug 7, 2011

    As far as I know, only TACACS+ is able to separate authentication from authorization, as this is what you're after, and, as a consequence, you have to use Cisco ACS for this. It allows you to implement SSO since it passes the authentication to AD, and then you can map the AD groups to privileges, commands, or views that you define in ACS for the authorization part. I think this is the most cost effective solution, but, if the budget allows, you can implement TrustSec/ISE that is a more granular (and expensive) solution based on 802.1X authentication.

    Join this discussion now: Login / Register


More Like This

  • Retrieving data ...

Bookmarked By (0)