lozza
2008-10-08 23:26:00 UTC
Guys,
I appreciate anytime you experts can give me in trying to learn this
technology. I am familiar with Microsoft stuff but not in the areas of
IAS/Radius. We have a cisco environment at work and are in need of a solution
that will address AAA. I would like to use MS technology as thats what I am
accustomed to. I will be attending a CISCO Secure Access Control Server
course soon, but this will inevitably mean cost and I think MS IAS can do the
same thing and might be a bit easier to implement. So basically, because I
dont know much about any of this stuff could someone kindly help me by
answering the following:
1) Does IAS allow for AAA methodology to be followed. Specifically can I log
who has done what, run what commands at what time on switches/routers etc
etc. Can I control who can have what permissions on certain switches/routers
etc etc
2) At present we have over 100 Cisco Switches and Routers across 4
Datacentres globally (Single AD Domain)... Can IAS be used to allow AD
credentials to log into these switche/routers?
3) At each DC we have a redundant pair of CISCO VPN devices. Can IAS be used
to authenticate the VPN users using their already created AD account?
4) If I want all authentication to be backed of to AD will my IAS Servers
require a Database.... I'm not sure what I'm trying to ask here, but its
along the lines of, if I have a redundant pair of Load Balanced IAS Servers,
configured the same (as in the same devices, policies etc etc), is that all I
need in terms of providing Resilience (with the exception of a Load Balancing
mechanism in front of them), or is a Database needed as well sitting on a
cluster somewhere? Or in fact should the IAS be Clustered (in the MSCS
fashion)... confused here, as you can tell :)
5) For true redundancy sake is it feasible to put a pair of IAS Servers in
each of the 4 DC's and configure them all with the same configs and then list
all these IAS Servers in every device using RADIUS i.e. my switches and
routers.. or in fact just list the IAS servers that local to the network
device in question as its RADIUS Server, so authentication traffic stays
local?
6) If I need to add more RADIUS Servers to my 2 node clusters, is there a
simple method of replicating the config onto the newly added server?
7) When dealing with Accounting logging, should you send all this info off
to a DB somewhere that all your IAS servers point to. Is there scripts to
create such a DB in the correct format? Or should you just leave this locally
on each IAS server. Again, I am just wildly guessing here and trying to gauge
info around IAS.
Please forgive me for any daft questions. I have been reading for a few days
now, and think I have asked some half intelligent questions to help me
understand this better.
If any links to appropriate 'easy' reading can be provided that would be
excellent.
Thanks for any help
Lozz
I appreciate anytime you experts can give me in trying to learn this
technology. I am familiar with Microsoft stuff but not in the areas of
IAS/Radius. We have a cisco environment at work and are in need of a solution
that will address AAA. I would like to use MS technology as thats what I am
accustomed to. I will be attending a CISCO Secure Access Control Server
course soon, but this will inevitably mean cost and I think MS IAS can do the
same thing and might be a bit easier to implement. So basically, because I
dont know much about any of this stuff could someone kindly help me by
answering the following:
1) Does IAS allow for AAA methodology to be followed. Specifically can I log
who has done what, run what commands at what time on switches/routers etc
etc. Can I control who can have what permissions on certain switches/routers
etc etc
2) At present we have over 100 Cisco Switches and Routers across 4
Datacentres globally (Single AD Domain)... Can IAS be used to allow AD
credentials to log into these switche/routers?
3) At each DC we have a redundant pair of CISCO VPN devices. Can IAS be used
to authenticate the VPN users using their already created AD account?
4) If I want all authentication to be backed of to AD will my IAS Servers
require a Database.... I'm not sure what I'm trying to ask here, but its
along the lines of, if I have a redundant pair of Load Balanced IAS Servers,
configured the same (as in the same devices, policies etc etc), is that all I
need in terms of providing Resilience (with the exception of a Load Balancing
mechanism in front of them), or is a Database needed as well sitting on a
cluster somewhere? Or in fact should the IAS be Clustered (in the MSCS
fashion)... confused here, as you can tell :)
5) For true redundancy sake is it feasible to put a pair of IAS Servers in
each of the 4 DC's and configure them all with the same configs and then list
all these IAS Servers in every device using RADIUS i.e. my switches and
routers.. or in fact just list the IAS servers that local to the network
device in question as its RADIUS Server, so authentication traffic stays
local?
6) If I need to add more RADIUS Servers to my 2 node clusters, is there a
simple method of replicating the config onto the newly added server?
7) When dealing with Accounting logging, should you send all this info off
to a DB somewhere that all your IAS servers point to. Is there scripts to
create such a DB in the correct format? Or should you just leave this locally
on each IAS server. Again, I am just wildly guessing here and trying to gauge
info around IAS.
Please forgive me for any daft questions. I have been reading for a few days
now, and think I have asked some half intelligent questions to help me
understand this better.
If any links to appropriate 'easy' reading can be provided that would be
excellent.
Thanks for any help
Lozz