Simultaneous Radius & TACACS+ Support on WLC

Unanswered Question
Apr 3rd, 2009
User Badges:

I currently have my controller configured in my Cisco Secure ACS (ver 3.3) as a Radius NAS.

This is for the wireless clients authenticate using PEAP.


Now I would like to setup my controller to use TACACS+ for management. I see where to configure it on the controller which looks straight forward.


However, I am not sure what to do on the ACS. If a controller is already configured for Radius how can I configure it to also support TACACS+? I don't see an option to have it support both. I can't add the same controller in twice either.


Any suggestions/recommendations are appreciated.


I'm wondering if my only option is to setup management using Radius too.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mscherting Mon, 04/06/2009 - 09:51
User Badges:

Try entering your controller again with a different name:


ControllerName-TACACS

Use the same IP, device group & shared secret then select TACACS+ (Cisco) instead of Radius for authentication.


You end up with two entries for each device that requires both, one for TACACS & one for Radius.




c.fuller Tue, 04/07/2009 - 11:42
User Badges:

Thank you. That worked. I created one group called controllers-tacacs and listed each of my controllers and selected TACACS+ for authentication type.


However, I still can't get the controller to use TACACS+ for management. I added in the ACS information using port 49 under the security->tacacs-> authentication menu option. It does not have the option to pick network user or management like the radius authentication menu does. So I just enter in all the valid data shared secret, port, enabled, etc. I used the same shared secret as the controller-tacacs group I created on the ACS.


However, the controller does not use tacacs+ for management logins. I still have to use the local mgmt users account.


Anyone have any ideas.



mscherting Wed, 04/08/2009 - 09:15
User Badges:

Sounds like what my WiSMs did when I first setup them up for TACACS.


Have you tried restarting the ACS service? Network Configuration > Service Control > Restart


Actions

This Discussion

 

 

Trending Topics - Security & Network