spiderjericho
Weaksauce
- Joined
- Nov 18, 2010
- Messages
- 85
Just like the title states. Anyone have any opinions/insight on centralized remote management systems?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Alternatives to Cisco ACS
- Thread starter spiderjericho
- Start date
Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
ACS isn't centralized remote management. It's authorization, authentication and accounting. What are your goals? That will determine which other products are relevant to you. Do you need TACACS? RADIUS? You looking for mostly command auth, or accounting? Etc...
spiderjericho
Weaksauce
- Joined
- Nov 18, 2010
- Messages
- 85
Looking for AAA. But I wouldn't mind using a comparative RADIUS solution.
Also, isn't using ACS a way to centrally manage the accounts your network engineers use to access network equipment like routers, switches, firewalls, etc?
Also, isn't using ACS a way to centrally manage the accounts your network engineers use to access network equipment like routers, switches, firewalls, etc?
Yes, but RADIUS does the same thing.
Are you running any windows servers. I have a step by step on my blog (with screenshots) here that details exactly how to set up NPS on 2008 R2 and then part 2 shows you how to set it up on the cisco switch/router.
Part 1 : Use RADIUS to manage Cisco Devices
Part 2 : Cisco RADIUS Setup
Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
It is, somewhat. Most of the time you'd point ACS at AD for account management. You're simply configuring policy in ACS/TACACS to determine command sets and access.
Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
I wouldn't say RADIUS does the same thing. You can definitely use it for authentication, but you can get much, much more granular for authorization when using TACACS.
ACS is great for Radius and TACACS. I used it for PEAP authentication (with a server cert) for wireless authentication too. If all you need is AAA, then Windows 2008 NPS will work. If you want to step it up a notch, I believe the Cisco replacement is ISE, but that does a WHOLE lot more and has the price to match.
spiderjericho
Weaksauce
- Joined
- Nov 18, 2010
- Messages
- 85
Guys, I appreciate all of your responses. I don't think I explained the reason for my question. I have a school assignment where you have a scenario/problem, recommend an IT solution and discuss a project to implement it.
So the scenario (real life), is I have a technical school environment, about 25 class rooms, 1,100+ students. We have 55 Catalyst Switches and 3 ISRs. It's such a pain to do remote administration, especially with personnel changes, as you have to remotely or physically go to each device and create accounts, change passwords, etc.
I personally think it would be easier to have an ACS hosted on ESX to lighten the load. And all we would leave on the devices is a admin account in case of emergencies/loss of connectivity to the ACS and possibly a guest.
But I can't just come up with ACS, I need alternatives. I appreciate all of the answers.
Also, is Cisco discontinuing ACS with version 5.3? Is ISE the replacement (as well as all the hubbub for mobile devices included with it)?
So the scenario (real life), is I have a technical school environment, about 25 class rooms, 1,100+ students. We have 55 Catalyst Switches and 3 ISRs. It's such a pain to do remote administration, especially with personnel changes, as you have to remotely or physically go to each device and create accounts, change passwords, etc.
I personally think it would be easier to have an ACS hosted on ESX to lighten the load. And all we would leave on the devices is a admin account in case of emergencies/loss of connectivity to the ACS and possibly a guest.
But I can't just come up with ACS, I need alternatives. I appreciate all of the answers.
Also, is Cisco discontinuing ACS with version 5.3? Is ISE the replacement (as well as all the hubbub for mobile devices included with it)?
Vito_Corleone
[H]ard|Gawd
- Joined
- Dec 17, 2006
- Messages
- 1,730
ISE will eventually replace ACS, but not for a while. It only does RADIUS right now. TACACS is on the roadmap.
spiderjericho
Weaksauce
- Joined
- Nov 18, 2010
- Messages
- 85
Other notes about the network, we currently use telnet and Windows Command Line to access devices.
I want to move toward SSH and using Putty or Teraterm (or another alternative).
My management options are Active Directory 2008 R2 with:
ACS 5.3
FreeRadius
ISE
Microsoft NPS
Anyone know the general price for ISE? I looked on CDW and the cost for a base license to manage 100 devices was $360 + $4,000 to create a virtual appliance + Smartnet contract.
A Red Hat Server will be used as the SFTP server to back up and upgrade IOS. Haven't quite figured out the logging server piece.
I want to move toward SSH and using Putty or Teraterm (or another alternative).
My management options are Active Directory 2008 R2 with:
ACS 5.3
FreeRadius
ISE
Microsoft NPS
Anyone know the general price for ISE? I looked on CDW and the cost for a base license to manage 100 devices was $360 + $4,000 to create a virtual appliance + Smartnet contract.
A Red Hat Server will be used as the SFTP server to back up and upgrade IOS. Haven't quite figured out the logging server piece.
Last edited:
I highly suggest you read my first post. I also work for a school district and my step by step guide is custom tailored for exactly what you want to do.
spiderjericho
Weaksauce
- Joined
- Nov 18, 2010
- Messages
- 85
Sorry to bump the thread. So I was able to test NPS in a lab with GNS3/Virtualbox. And it worked; however, I was curious about the security of utilizing it.
cyr0n_k0r, you put in one of the configuration steps to just use unencrypted PAP/SPAP, do you feel like using these protocols would be secure in a live environment?
Versus using ACS, which uses TACAS+ and encrypts the traffic, what advantages do you see your solution having?
Having said that, ACS isn't cheap ($7,000 + all the additional SMARTNET and other licensing).
cyr0n_k0r, you put in one of the configuration steps to just use unencrypted PAP/SPAP, do you feel like using these protocols would be secure in a live environment?
Versus using ACS, which uses TACAS+ and encrypts the traffic, what advantages do you see your solution having?
Having said that, ACS isn't cheap ($7,000 + all the additional SMARTNET and other licensing).
I haven't seen any issues.
An attacker would need physical access to our network closets, or be able to exploit the network via VLAN Hopping which we mitigate using the methods suggested in the article.
spiderjericho
Weaksauce
- Joined
- Nov 18, 2010
- Messages
- 85
So you're using out of band management? If that's the case, not bad. I'd still be a little wary but makes sense.
My only issue with NPS is it's not as straightforward as ACS. But that's not to take away anything from 2008 R2, which is a good product and has many applications.
My only issue with NPS is it's not as straightforward as ACS. But that's not to take away anything from 2008 R2, which is a good product and has many applications.