Re: Soution for ACS Replacement for Wireless and VPN Authentication?

Jim Matuska · ‎03-21-2018

We have been running Cisco ACS physical appliances for quite a few years for VPN Client (to our ASA Firewalls) and Wireless WPA2/AES authentication with our Cisco Wireless controllers. In both instances we have ACS connected to active directory to do the actual userid/password verification.

The ACS products as I understand it are now nearing or at EOL and show the ISE products as replacements. However, these seem to have a bit more functionality (and cost) than we need.

Does anyone have any suggestions for a solution to authenticate and log these wireless and VPN clients that doesn't cost a lot of money.

We are running VMWare so virtualizing servers is a preferred method if available.

What do you think?

Rob Ingram · ‎03-21-2018

Hi,
Well if you don't want or need the functionality of ISE, then how about Microsoft Windows NPS, this can do basic 802.1x authentication for wired/wireless. It probably can't do the fancy stuff that ISE can (guest, web portals, tacacs etc).

HTH

Jim Matuska · ‎03-21-2018

Thanks for the info, I'm going to look into using NPS on server 2016. We are currently using PEAP-MSCHAPV2 and authenticating against Active Directory accounts for wireless clients. Is this still a good setup or is there a better option for authentication for wireless? Note, we want to keep the end user device configuration to a minimum, in most cases just choose SSID and put in domain credentials to authenticate.

What do you think?

Marvin Rhoads · ‎03-21-2018

ISE with Base licenses is the recommended solution. Migration from ACS is very easy with the provided migration tool.

Have you priced out ISE? There was a migration special offer last year for ACS customers but unfortunately that has expired.