Discussion:
Using IAS for aaa with multiple vendors
(too old to reply)
BikeGeek
2008-10-28 18:53:03 UTC
Permalink
We have a mixed Nortel, Cisco and Juniper environment for our switches and
routers. I have gotten both Nortel and Cisco devices to authenticate
correctly to IAS but I am not sure how to have both authenticate to IAS.

One idea is using the Client-IP-Address attribute to be sure each device is
hitting the right policy. This seems very cumbersome to create two policies
(one read and one read/write) for each of hundreds of devices on two IAS
servers (primary and secondary)
-Can multiple IPs be added to one access policy?

Another thought was to use the Client-Vendor attribute.
- Does the Client-Vendor Attribute work reliable to distingish Nortel vs
Cisco?
- Is there a way to add Juniper to the Client-Vendor Attribute?

Another thought was one IAS server per vendor. This would result in either
not have a primary secondary or having 4 enterprise windows license!

Any suggestions welcome.
Is there another way to address this issue?
S. Pidgorny
2008-10-28 20:41:35 UTC
Permalink
Post by BikeGeek
We have a mixed Nortel, Cisco and Juniper environment for our switches and
routers. I have gotten both Nortel and Cisco devices to authenticate
correctly to IAS but I am not sure how to have both authenticate to IAS.
One idea is using the Client-IP-Address attribute to be sure each device is
hitting the right policy. This seems very cumbersome to create two policies
(one read and one read/write) for each of hundreds of devices on two IAS
servers (primary and secondary)
-Can multiple IPs be added to one access policy?
Another thought was to use the Client-Vendor attribute.
- Does the Client-Vendor Attribute work reliable to distingish Nortel vs
Cisco?
- Is there a way to add Juniper to the Client-Vendor Attribute?
Another thought was one IAS server per vendor. This would result in either
not have a primary secondary or having 4 enterprise windows license!
Any suggestions welcome.
Is there another way to address this issue?
Not sure how reliable the attribute is... Will experiment.

Re. running four instances: Windows Server Enterprise license allows you
to run four instances of the OS as virtual machines so you won't have to
purchase additional licenses if you go virtual
(http://www.microsoft.com/licensing/highlights/virtualization.mspx)
--
Svyatoslav Pidgorny, MCSE, RHCE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
lozza
2008-11-24 06:56:01 UTC
Permalink
Hi BikeGeek,

I am currently faced with this very issue. Can you let me know how you got
with this? I am really struggling for ideas right now...

Any help would be much appreciated

Loz
Post by BikeGeek
We have a mixed Nortel, Cisco and Juniper environment for our switches and
routers. I have gotten both Nortel and Cisco devices to authenticate
correctly to IAS but I am not sure how to have both authenticate to IAS.
One idea is using the Client-IP-Address attribute to be sure each device is
hitting the right policy. This seems very cumbersome to create two policies
(one read and one read/write) for each of hundreds of devices on two IAS
servers (primary and secondary)
-Can multiple IPs be added to one access policy?
Another thought was to use the Client-Vendor attribute.
- Does the Client-Vendor Attribute work reliable to distingish Nortel vs
Cisco?
- Is there a way to add Juniper to the Client-Vendor Attribute?
Another thought was one IAS server per vendor. This would result in either
not have a primary secondary or having 4 enterprise windows license!
Any suggestions welcome.
Is there another way to address this issue?
Loading...