TACACS and RADIUS authentication on same line

Unanswered Question
Aug 27th, 2008
User Badges:

Hi,


I'm need to authenticate users authenticating either on a TACACS+ or a RADIUS server on a Dial-up line. The configuration that I'm using is:


aaa authentication login TEST group radius group tacacs+ local-case


The problem that I'm encountering is that if a user has to authenticate with a TACACS server the radius server will return a "FAIL" message to the router as it does not find the user. This halts the authentication process and the TACACS server is never used.


This works when the authentication server is a single ACS server that can authenticate users via different external DBs. I have to remove this ACS server and "attack" the External DBs directly from the router.


Is there any way that I can configure the router (12.2) to "ignore" this fail message and continue with the second group servers?


Any help is greatly appreciated.


Thanks,


Niels

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Thu, 08/28/2008 - 15:11
User Badges:
  • Gold, 750 points or more

unfortunately this is not how RADIUS/TACACS servers work or IOS works.


As you have command,


aaa authentication login TEST group radius group tacacs+ local-case


Till the point radius server is UP, if you provide a username that does not exist on the Radius server, it will be always send Access-Reject (FAIL). And IOS can only go for next method (in your case tacacs and then local), only when it gets an ERROR, which is only possible when radius server/services are unavailable.


Here is what I can recommend in your scenario. You can make use of Radius proxy, in that case users would be required to login in a different fashin, something like,


[email protected] , and we can proxy it to appropriate server based on keyword [email protected]'.


Before that, what is your Radius server and what is your Tacacs server at this moment ?


Regards,

Prem


Please rate if it helps!

Actions

This Discussion