cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
0
Helpful
7
Replies

Single NAS for TACACS and Radius on cisco ACS v4

muralee29477
Level 1
Level 1

Hi

I am presently using acs v4 is there any way that I could configure a device to authenticate using tacacs and radius to gether in acs ,

7 Replies 7

darpotter
Level 5
Level 5

On the ACS side there is nothing to stop you entering the same device twice - for RADIUS and for TACACS+.

hi

tks for the reply

how can i do this in acs

best regards

muralee

Muralee

We could give you better advice if we understood more about your environment and about what you are really trying to accomplish.

I have configured routers doing dial access where the dial access PPP sessions authenticate to Radius and the sessions to the VTY authenticate to TACACS. Are you trying to accomplish something like that?

It would also be possible to set up a router so that the VTY authenticate to Radius and the console authenticates to TACACS if you wanted that. Or it should work if you want to configure authentication using the radius group as primary and use the tacacs group as backup if the radius method fails.

What can you tell us about what your requirements are?

HTH

Rick

HTH

Rick

You can add same NAS for radius and tacacs but host name has to be different.

Example

Host Name IP Authenticate using

NAS1 4.1.1.1 Radius

NAS2 4.1.1.1 Tacacs

Regards,

~JG

Do rate helpful posts

Hi

My requirment is add a single device in acs v4 to authenticate using radius and tacacs

device 1.1.1.1

for ppp we will be using radius

for telnet and ssh login we will use tacacs

in the nas I have done the config but not sure how to do it in acs.

based on these can you advice something?

tks a lot

muralee

So in the ACS network config you add 2 NASes (or should that be NASi?)

One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.

Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)

RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.

With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)

Suggest you first take time to scan through the ACS docs.

Simply add nas

1

Name--->device

IP ----> 1.1.1.1

secret---->xxxxx

Authenticate using --->Radius IETF

2

Name--->device1

IP ----->1.1.1.1

secret ----->x.x.x.x

Authenticate using---->tacacs IOS

Regards,

~JG

Do rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: