The Cisco-preferred method is of course the Cisco ACS server and TACACS+ - nothing wrong with that; it works fine, is feature rich and is quite easy to set-up and get going. The downside is that someone has to manage the ACS server (or appliance, if you go down that road), and maintain the user database (although it's possible to get the user data from AD...)
I reckon it's better to:
- Utilise an existing user database, freeing up network guys to do what they do best - networking stuff.
- Let the server bods worry about looking after server stuff - the server itself , Windows updates, Anti Virus, etc. etc.
- Leverage something that comes free - in this case Windows IAS (Internet Authentication Service), thus saving dosh for more interesting things
However, it's not all a bed of roses - this isn't really a scalable solution for dozens of devices. There's no way to wild card Radius requests from your devices, so you need to add each router/switch/firewall/etc. individually, so it can be a bit laborious.
So how to set it up?
Firstly, the Cisco device (I'll call them switches from now on, and assume that we're running Cisco IOS, not ye olde Catalyst OS) will be using Radius to authenticate, not TACACS+. This part is quite easy, as the commands to set up Radius authentication is pretty straightforward.
Secondly, we need to set up the Windows IAS server. This is less straightforward, as it involves lots of mouse clicking and menus. It works fine, but needs careful attention to detail.
I won't go through the whole "how to set up IAS" thing, because there are other sites out there that have already done this work. See links below:
Cisco AAA login with Radius (MS IAS)
How to setup IAS to use radius to authenticate Cisco device
In our organisation, we have several AD Domain Controllers - a pair at head office and a pair at our data centre. So I installed IAS on all four, and as the majority of our kit is located at head office, the head office pair authenticate access to head office kit, and the data centre pair authenticate access to kit at the data centre and remote sites.
To set up the Cisco side, the following commands should entered from Exec mode:
aaa new-model
aaa authentication login default group radius local line
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
radius-server host [IP ADDRESS] auth-port 1812 acct-port 1813
radius-server host [IP ADDRESS] auth-port 1812 acct-port 1813
radius-server source-ports 1645-1646
radius-server retransmit 1
radius-server timeout 2
radius-server key [SECRET KEY]
radius-server vsa send accounting
radius-server vsa send authentication
and on the CON & VTY lines, make sure you add:
login authentication default
And that's it. Test drive before you go live.