Can MAG replace Cisco ACS for authenticating and authorizing network devices like routers and switches?
Also can we use it to authenticate VPN users?
Solved! Go to Solution.
MAG running Access control service supports various authentication methods using a variety of authentication protocols including EAP inner and outer authentication,non tunneled web authentication without EAP,and MAC address authentication etc.
It supports in addition to EAP-TTLS and EAP-PEAP,PAP, CHAP and the CHAP family, including MS-CHAP, MS-CHAP-V2 etc.
You just need to ensure that these routers and switches are configured to use one of the supported authentication protocols.
so we can use MAG instead of ACS for authenticating network devices, is it the same as authenticating normal users by creating realm and roles then to create role-mapping rules?
also what about authorization; can we create authorization roles for the network devices, like to create a downlodable access list?
Yes your understanding is correct!
You can authorize by configuring RADIUS Return Attributes Policies
under Admin Console-->UAC --> Network Access
Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!
Yes you can use can MAG instead of ACS for authenticating network devices, Yes you need to create roles and realms, role mapping rules for this. you can have the authentication server as local or external authentication server like active directory, LDAP etc.
You can also create resource access policy on the IC
the authorization type am looking for is like;
Some users have privilege to perform certain commands, and some users have certain level of privileges (1-15).
so is this supported under return attributes policies?
Please refer page no 172 through 175 of UAC administration guide for more details: