My point of view.
switch use NAC-engine as radius server.
NAC-engine can use NPS as upstream radius server = advantage: you have one repository where username and password is stored. the way to add/remove/change users in M$ world is comfortable
NAC-engine can use LDAP/LDAPs as upstream authentication = advantage: you do not need to install NPS and Certificates
NAC-engine can use local database = advantage: you do not need any other component, but the way to add/remove/change users needs to be integrated to the customer processes
the most common deployment:
- NAC-engine use radius to verify username/password against domain.
- NAC-engine use LDAPs to check the group membership
advantage of the combination above:
- M$ believe the radius is more secure compare to the NTLM used in LDAPs
- configure and troubleshoot NPS rules is nightmare = if you have one rule only in NPS it is easier
- configure rules based on LDAPs is much more easy to troubleshoot and operate