Single NAS for TACACS and Radius on cisco ACS v4

Unanswered Question
Mar 14th, 2009

Hi

I am presently using acs v4 is there any way that I could configure a device to authenticate using tacacs and radius to gether in acs ,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Mon, 03/16/2009 - 06:03

On the ACS side there is nothing to stop you entering the same device twice - for RADIUS and for TACACS+.

Richard Burts Mon, 03/16/2009 - 08:46

Muralee

We could give you better advice if we understood more about your environment and about what you are really trying to accomplish.

I have configured routers doing dial access where the dial access PPP sessions authenticate to Radius and the sessions to the VTY authenticate to TACACS. Are you trying to accomplish something like that?

It would also be possible to set up a router so that the VTY authenticate to Radius and the console authenticates to TACACS if you wanted that. Or it should work if you want to configure authentication using the radius group as primary and use the tacacs group as backup if the radius method fails.

What can you tell us about what your requirements are?

HTH

Rick

Jagdeep Gambhir Mon, 03/16/2009 - 13:14

You can add same NAS for radius and tacacs but host name has to be different.

Example

Host Name IP Authenticate using

NAS1 4.1.1.1 Radius

NAS2 4.1.1.1 Tacacs

Regards,

~JG

Do rate helpful posts

muralee29477 Tue, 03/17/2009 - 00:31

Hi

My requirment is add a single device in acs v4 to authenticate using radius and tacacs

device 1.1.1.1

for ppp we will be using radius

for telnet and ssh login we will use tacacs

in the nas I have done the config but not sure how to do it in acs.

based on these can you advice something?

tks a lot

muralee

darpotter Tue, 03/17/2009 - 02:07

So in the ACS network config you add 2 NASes (or should that be NASi?)

One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.

Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)

RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.

With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)

Suggest you first take time to scan through the ACS docs.

Jagdeep Gambhir Tue, 03/17/2009 - 07:42

Simply add nas

1

Name--->device

IP ----> 1.1.1.1

secret---->xxxxx

Authenticate using --->Radius IETF

2

Name--->device1

IP ----->1.1.1.1

secret ----->x.x.x.x

Authenticate using---->tacacs IOS

Regards,

~JG

Do rate helpful posts

Actions

This Discussion