ACS. 802.1x, Tacacs and Radius

Unanswered Question
Aug 16th, 2007

Hi

I think i have a simple question: I wan't do activate 802.1x on our siwtches(about 800 devices: 6500,3500,3600,4500,...). We use for telnet Tacacs for authentication,authorization and accounting. For 802.1x i need to configure raidius on the switches. So my question is: Can i run Radius and Tacacs

for the same device or do i have to cahnge the telnet-authenticatoin/authorization to Radius. In the NetworkDeviceGroup configuration on ACS4.1 i can only define Tacacs or Radius for the authentication type for one device.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
darpotter Thu, 08/16/2007 - 01:33

Yes you can run RADIUS and TACACS+ in parallel.

In the ACS network config db you need to enter each device twice - once for each protocol.

fawadnoorkhan Thu, 08/16/2007 - 09:29

TACACS+ is better recomended, due to better accounting, authorization and the ENCRYPTION it uses for communication, where as RADIUS is plain/clear text algorithm.

Since you are using TELNET which is total clear text, then using TACACS provides you some security through its encyption., I would prefer TACACS over RADIUS Since you have all Cisco based network.

dbelno Thu, 08/16/2007 - 22:31

Hallo

I know, this is the reason why i am useing tacacs. But can i use Tacacs in combination with 802.1x and/or NAC??

darpotter Fri, 08/17/2007 - 05:45

No you cant use TACACS+ for NAC and 802.1x.

...and NAC over RADIUS *IS* encrypted. The entire exchange occurs inside a tunnel which just happens to be carried over RADIUS.

EAP-FAST/EAP-PEAP both use encrypted tunnels for their protocols.

T+ is still king for device admin or any network service that uses/needs good/flexible authorisation. For everything else there's RADIUS.

Actions

This Discussion