Cisco ACS versus Microsoft IAS for Radius ?

Discussion in 'Cisco' started by TechGuy, Dec 3, 2004.

  1. TechGuy

    TechGuy Guest

    We are using all Cisco switches, routers and wireless lan access
    points. We are rolling out more wireless and looking to start using
    WPA for laptop wireless security. We need to decide on a radius
    server and personally I would prefer to use cisco ACS for radius
    purposes but I have to come up with some good selling points on why to
    go with Cisco ACS to handle radius versus just using the microsoft
    radius in IAS.

    Anyone have any good pros and cons for the two?
     
    TechGuy, Dec 3, 2004
    #1
    1. Advertisements

  2. TechGuy

    John Smith Guest

    i can' t believe i'm about to say this, but the good thing about using MS's
    IAS is that you can just use a user's regular domain account for network
    wide authentication.. this is what I do for our aironet 1200's and it's what
    i'm going to start doing for mobile vpn users. It is not yet implemented
    for logging directly into Cisco equipment mainly b/c only a couple of people
    need to do that.
    the con is it can be a pain to set up. (it was for me anyway, since i had
    never done anything w/ IAS).
    here's the best link i found on setting up wireless IAS auth. should you
    decide to implement it..
    http://www.ifm.net.nz/cookbooks/wpa_sbs2003/index.html

    good luck...

    here's another link which contains a post about some guy ranting about how
    his companie's ccie's had trouble setting up wireless peap with MS radius...
    http://undeadly.org/cgi?action=article&sid=20041202192651 i just came
    across it today and thought it was funny...
     
    John Smith, Dec 4, 2004
    #2
    1. Advertisements

  3. TechGuy

    Rob Guest

    On the other hand, using ACS is brain dead simple. So I support the
    arguement for that. And it can in turn authenticate against ADS or
    the domain easily too.

    Use ACS 3.3

    -Robert
     
    Rob, Dec 4, 2004
    #3
  4. TechGuy

    John Smith Guest

    i'd rather use acs as well... it's still hard to justify the $$ to
    management.
    which i guess was the whole purpose of this thread anyway.
     
    John Smith, Dec 4, 2004
    #4
  5. TechGuy

    Rob Guest

    Did you make the mistake of telling management there was a cheaper
    alternative? Tisk, tisk. How did you get Cisco there in the first
    place? ;)
     
    Rob, Dec 4, 2004
    #5
  6. TechGuy

    TechGuy Guest

    Other then ease of use, is there any other functional reasons or
    limitations between the two? I have heard that there are some
    limitations with MS IAS but no one has confirmed what these are which
    is why I am asking.

    Are there some limits to the "free" IAS that comes with 2003 server ?
    I am not a server guy so I dont know, I just handle Cisco equipment
    and voip and I know that MS 2003 Server has or comes with some free
    radius service. And thus management would prefer if we use that so to
    save money. Understandable of course, but if there are some
    limitations to using it I need to find out so that we are not having
    to reinvent the wheel later down the road and switch to ACS anyway.
     
    TechGuy, Dec 4, 2004
    #6
  7. TechGuy

    Taran Singh Guest

    I tested ACS 3.3 and its very nice. Then I used the MS Radius from
    2003 server and i'll be honest: for the authentication of my VPN users
    against the active directory user list, it makes no difference. even
    the wireless ap's should be okay to use the ms radius. i personally
    have no compelling reasons to use acs 3.3 so i am going with ms radius
    since i have a fairly reliable system for it already.


    now to decide from a business perspective ... you need features from
    acs that ms cannot offer. if you write them down, and decide its exact
    need and you come to the conclusion that those requirements are
    necessary, then you need acs. if you decide that all the features you
    listed are "nice to have" but operationally do not mean anything then
    you dont need acs. also consider a 3+ year outlook plan. note that ms
    radius from 2003 server offers all the bells like LEAP/EAP auth, you
    name it, it has it.

    there you have it. list the features, write the reasons why u need
    them, then see if ms radius does them all. choice will then be easier.

    cheers, t.
     
    Taran Singh, Dec 5, 2004
    #7
  8. TechGuy

    John Smith Guest

    i've done alot w/ m$ servers but just minimal radius/cisco stuff w/ IAS...
    does IAS support accounting?
     
    John Smith, Dec 5, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.