darpotter Mon, 03/16/2009 - 06:03
User Badges:
  • Silver, 250 points or more

On the ACS side there is nothing to stop you entering the same device twice - for RADIUS and for TACACS+.

muralee29477 Mon, 03/16/2009 - 06:38
User Badges:


tks for the reply

how can i do this in acs

best regards


Richard Burts Mon, 03/16/2009 - 08:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


We could give you better advice if we understood more about your environment and about what you are really trying to accomplish.

I have configured routers doing dial access where the dial access PPP sessions authenticate to Radius and the sessions to the VTY authenticate to TACACS. Are you trying to accomplish something like that?

It would also be possible to set up a router so that the VTY authenticate to Radius and the console authenticates to TACACS if you wanted that. Or it should work if you want to configure authentication using the radius group as primary and use the tacacs group as backup if the radius method fails.

What can you tell us about what your requirements are?



Jagdeep Gambhir Mon, 03/16/2009 - 13:14
User Badges:
  • Red, 2250 points or more

You can add same NAS for radius and tacacs but host name has to be different.


Host Name IP Authenticate using

NAS1 Radius

NAS2 Tacacs



Do rate helpful posts

muralee29477 Tue, 03/17/2009 - 00:31
User Badges:


My requirment is add a single device in acs v4 to authenticate using radius and tacacs


for ppp we will be using radius

for telnet and ssh login we will use tacacs

in the nas I have done the config but not sure how to do it in acs.

based on these can you advice something?

tks a lot


darpotter Tue, 03/17/2009 - 02:07
User Badges:
  • Silver, 250 points or more

So in the ACS network config you add 2 NASes (or should that be NASi?)

One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.

Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)

RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.

With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)

Suggest you first take time to scan through the ACS docs.

Jagdeep Gambhir Tue, 03/17/2009 - 07:42
User Badges:
  • Red, 2250 points or more

Simply add nas



IP ---->


Authenticate using --->Radius IETF



IP ----->

secret ----->x.x.x.x

Authenticate using---->tacacs IOS



Do rate helpful posts


This Discussion