cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
0
Helpful
3
Replies

Local RADIUS trusting external database

mstubbers
Level 1
Level 1

Is there any way for the IOS local RADIUS to authenticate against a NT or AD domain account list? I understand I can use ACS, IAS or similar to do this, just looking for a cleaner solution for a small site. I'd be willing to use LEAP for client authentication if it were possible. My dilema is we use ACS to authenticate our larger locations. It is hard to justify a separate ACS install for this "island" site. They have a local AD domain which could be used. I'm considering IAS, but I'd also love to incorporate this AP into our WLSE environment. Any suggestions?

3 Replies 3

emcpherson
Level 1
Level 1

Looks like you are going beyond what the local radius server on the WAP was design for. Here is a link when you are configuring an access point as a local authenticator.

http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html

If the intent is using domain account list outside of the WAP then nope you cannot. If the list is not greater than 50 then you should be able to do it internally. You just need to retype it.

Thanks for your input. Maintaining a duplicate local user database just doesn't seem viable long term. I'd have to work with users every time their password expires, or not have them expire which is not acceptable. The site is only a couple dozen users, but at that volume I'd be dealing with a password change every few days.

My plan in the interum is to remotely authenticate them against my main site ACS which will authenticate them against their local domain. Certainly the long way to go, but I can extend the password cache for a longer than normal period to cut down on delay. I'll see how this operates for awhile and then adjust from there.

It seems that it would not be diffecult to have the AP directed toward a AD server. Cisco's VPN hardware does this nicely already. I'll put a feature request into our SE and see where it goes.

Thanks for the reply.

Thanks for your input. Maintaining a duplicate local user database just doesn't seem viable long term. I'd have to work with users every time their password expires, or not have them expire which is not acceptable. The site is only a couple dozen users, but at that volume I'd be dealing with a password change every few days.

My plan in the interum is to remotely authenticate them against my main site ACS which will authenticate them against their local domain. Certainly the long way to go, but I can extend the password cache for a longer than normal period to cut down on delay. I'll see how this operates for awhile and then adjust from there.

It seems that it would not be diffecult to have the AP directed toward a AD server. Cisco's VPN hardware does this nicely already. I'll put a feature request into our SE and see where it goes.

Thanks for the reply.

Review Cisco Networking for a $25 gift card