Central Authentication For Windows, Linux, Network Devices

There is a solution for this. It's called KerberosV5. It does all you need, and there is good support from Windows, Linux, Unix and network devices. Have a look at it.

Plenty of things can authenticate against an AD domain directly using kerberos.

You can manage authorization using ldap, if you enable anonymous binds on the AD servers.

You can also configure an AD server to also be an NIS server. I'm in the middle of doing that, and it doesn't seem trivial, but it also doesn't seem really hard. NIS + Kerberos neatly solves the issue of antiquated systems that may not have pam_ldap modules directly.

Lastly, you can use an AD server as a RADIUS server, which neatly solves the "access to random network / RAS devices" issue.

I'm mostly a unix guy, and lots of the configuration you need to do on an AD server to get it to do this stuff is frustrating, but it is really hard to argue with the one-stop shopping you get with AD. Microsoft may have had a lot of stinkers over the years, but Active Directory is really fantastic technology.

Thanks for the reply on Kerberos V5, that's definately looking promising.

Another tool, by Microsoft themselves, is Forefront Identity Manager (FIM), which allows identify management without placing the servers in a domain.

http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx