Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
0
Helpful
3
Replies

Cisco Centralized Authentication on Switches and Routers

Go to solution
seanmitch
Level 1
Level 1

‎08-24-2018 07:36 AM

Hello!

 

I have two ideas of what would be ideal, but not sure if either is possible based on what I have read up until now.

 

1:

Would it be possible to use RADIUS, but only from one IP? I would rather not have to configure on the RADIUS server a RADIUS client for each and every switch as even though it would work, it would become extremely tedious. If there were a way to have our router proxy all the switches' requests so that I just had to configure one IP that would be perfect, but it seems like an unlikely possibility.

 

2:

Through the VTP domain could we have a centralized admin account and password as a way to login that too would work great, but from what I have seen and read it seems that VTP is more for VLAN synchronization and general networking than security features.

 

I appreciate any ideas on the best way to make a centralized login with or without using Active Directory as our goal is to make a more secure and easily changeable login to secure our network.

 

Thanks,

Sean

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-24-2018 01:37 PM

As per cisco best practice always use ACS or ISE for centralize  authentication.

ACS and ISE support user against your AD Authentication.

 

If you have want to consider you can use FreeRadius, but you need to put some effort and documentation to follow( depends on expertise you have).

 

you looking proxy, even though you setup proxy, you need to configure each device that proxy IP, instead you can configure all device to ACS, 1 time config as bulk config push(after testing couple of devices).

 

Make Sense ?

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-24-2018 01:37 PM

As per cisco best practice always use ACS or ISE for centralize  authentication.

ACS and ISE support user against your AD Authentication.

 

If you have want to consider you can use FreeRadius, but you need to put some effort and documentation to follow( depends on expertise you have).

 

you looking proxy, even though you setup proxy, you need to configure each device that proxy IP, instead you can configure all device to ACS, 1 time config as bulk config push(after testing couple of devices).

 

Make Sense ?

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
seanmitch
Level 1
Level 1
In response to balaji.bandi

‎08-24-2018 04:14 PM

I mean, I had heard of ISE but am afraid of the costs. Sadly too, ACS is no longer an option as its EOL is incoming and fast.

 

I appreciate the help.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to seanmitch

‎08-25-2018 12:51 AM

I can understand cost point of view, then you have option build own FreeRadius Server if you looking some open source for now, when the organisation able to invest opt for ISE for many reasons.

 

I had some deployment myself long back with freeradius it does work, but you need to spend some time reading document and examples.

https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents