Radius/Tacacs+ configuration

bjacob1976 · ‎09-11-2007

Hi All,

I would like to configure both radius & tacacs authentications on Cisco 7600 router.Is it possible? Can anyone give me some tips or refer to some urls?

Thanks,

Beno

Richard Burts · ‎09-11-2007

Beno

I am not clear from your post whether you want to use both TACACS and Radius for normal router/switch login authentication or if you are interested in something else. I have configured some routers for Dial Access which use Radius for authenticating the PPP dial user and use TACACS for login to the router. This works quite well.

Are you interested in attempting both TACACS and Radius for router login or are you interested in TACACS for one function and Radius for some other function.

From my experience it works well to use TACACS for one function (normal router login) and to sue Radius for some other function (dial/PPP authentication). I do not believe that both TACACS and Radius can be used for the same function.

HTH

Rick

HTH

Rick

bjacob1976 · ‎09-11-2007

Rick,

Thanks for your update.

I was wondering if both Radius/TACACS can be used for login to the router.

Thanks

avmabe · ‎09-11-2007

Yes indeed!

bjacob1976 · ‎09-12-2007

Hi Andrew,

If you have used both at the same time-

Radius/TACACS,then which username/password will you key in when the router prompts for the login?

I guess you can either use Radius (or) TACACS

If it still works for you then let me know the config please..

Thanks,

Beno

Note:

Ofcourse, you can use radius for the dialup users via PPP and TACACS for just login to the router

guruprasadr · ‎09-11-2007

HI Rick,

Can you post the COMPLETE CONFIGURATION which you have done in your Experience.

"routers for Dial Access which use Radius for authenticating the PPP dial user and use TACACS for login to the router"

Thanks in Advance for Help...

Best Regards,

Guru Prasad R

avmabe · ‎09-11-2007

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094ea4.shtml

http://forums.speedguide.net/showthread.php?t=202896

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094188.shtml

http://www.thebryantadvantage.com/Network+ExamTutorialCHAPPAPMSCHAPTACACSRADIUS.htm

Richard Burts · ‎09-12-2007

Guru

It is not practical to post the entire config. But here are the relevant parts for doing authentication of router login by TACACS and dial access users by Radius.

!

aaa new-model

!

aaa group server tacacs+ admin_TAC

server 10.18.24.20

!

aaa group server radius user_radius

server 10.231.110.185 auth-port 1645 acct-port 1646

!

aaa authentication login default group user_radius local

aaa authentication login admin group admin_TAC line

aaa authentication enable default group admin_TAC enable

aaa authentication ppp default if-needed group user_radius local

!

interface Group-Async0

encapsulation ppp

ppp authentication pap

group-range 1/00 2/107

!

interface Dialer1

encapsulation ppp

ppp authentication pap

!

ip tacacs source-interface Loopback0

!

ip radius source-interface Loopback0

!

tacacs-server host 10.18.24.20 key 7 [hide]

!

radius-server host 143.231.110.185 auth-port 1645 acct-port 1646 key 7 [hide]

!

line con 0

login authentication admin

!

line vty 0 4

login authentication admin

!

line 1/00 2/107

autoselect during-login

autoselect ppp

!

HTH

Rick

HTH

Rick

Pavel Bykov · ‎09-12-2007

I think the main question was not phrased clearly enough and needs to be clarified.

Good example Rick.

guruprasadr · ‎09-12-2007

HI Rick,

Thanks for the sample.

:)have Rated your Post.

Best Regards,

Guru Prasad R