TACACS and RADIUS authentication on same line

Unanswered Question
Aug 27th, 2008

Hi,

I'm need to authenticate users authenticating either on a TACACS+ or a RADIUS server on a Dial-up line. The configuration that I'm using is:

aaa authentication login TEST group radius group tacacs+ local-case

The problem that I'm encountering is that if a user has to authenticate with a TACACS server the radius server will return a "FAIL" message to the router as it does not find the user. This halts the authentication process and the TACACS server is never used.

This works when the authentication server is a single ACS server that can authenticate users via different external DBs. I have to remove this ACS server and "attack" the External DBs directly from the router.

Is there any way that I can configure the router (12.2) to "ignore" this fail message and continue with the second group servers?

Any help is greatly appreciated.

Thanks,

Niels

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Thu, 08/28/2008 - 15:11

unfortunately this is not how RADIUS/TACACS servers work or IOS works.

As you have command,

aaa authentication login TEST group radius group tacacs+ local-case

Till the point radius server is UP, if you provide a username that does not exist on the Radius server, it will be always send Access-Reject (FAIL). And IOS can only go for next method (in your case tacacs and then local), only when it gets an ERROR, which is only possible when radius server/services are unavailable.

Here is what I can recommend in your scenario. You can make use of Radius proxy, in that case users would be required to login in a different fashin, something like,

[email protected] , and we can proxy it to appropriate server based on keyword [email protected]'.

Before that, what is your Radius server and what is your Tacacs server at this moment ?

Regards,

Prem

Please rate if it helps!

Actions

This Discussion