cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

332
Views
0
Helpful
1
Replies
Highlighted
Beginner

Local authentication using RADIUS and Azure/on-prem setup best practice...

Hi,

 

So, we are a small shop (50 users, low levels of activity) and have 2 x DCs in Azure and 2 x on-prem - all Windows. I want to add RADIUS local authentication to our networking kit, most of which is Cisco. Just adding an NPAS role to a DC in Azure and a DC on-prem with the standard setup (Windows groups for users vs. Admins plus policy to set the priv-lvl accordingly) would seem the obvious way to go, but is it best practice?

 

Can Azure's MFA server's RADIUS support be used or is there another way?

 

Is there any point in having RADIUS on it's own servers vs. just as a role on the DCs, especially n a small shop? What are people's thoughts on best practice? I'm getting conflicting stories...

 

Many thanks.

1 REPLY 1
Highlighted
VIP Advisor

Hi,

I think what you suggest is perfectly fine. As you said you are a small shop, no need to spend a fortune on a TACACS+ solution. Even with Windows NPS you can authenticate users centrally, you will get some basic accounting information.

 

If you want even more security, you can also configure an ACL on the vty lines, to lock down access to the devices from trusted subnets. In addition you can configure syslog and send success/failed authentication attempts to a syslog server.

 

Having separate NPS servers might be over kill in a small environment, but I don't know the load on your current DCs. I cannot imagine adding the additional role to the server and the odd radius authentication would add a considerable amount of load to the server. This question maybe better answer in a Microsoft forum though.

 

HTH