ACS 5.1 - tacacs+ issue witch "network access" access services

Answered Question
Aug 11th, 2010

hi everyone,

can anyone explain why tacacs+ can't be used with network access services?

ScreenShot147.jpg

I know that main purpose of tacacs is command authorization but as I remember with ACS 4.2 it was possible. For example for PPP purpose.

thx and regards

Przemek

I have this problem too.
0 votes
Correct Answer by jrabinow about 6 years 3 months ago

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michagar Wed, 08/11/2010 - 13:45

On ACS 5.x

Default Device Admin = Tacacs+

Default Network Access = Radius

This is determined by the service selection rules.  Without other information it appears that you tried to process a Tacacs request with the Default Network Access somehow.

Przemyslaw Konitz Wed, 08/11/2010 - 23:48

thx for reply

I think this is not the case that Default Network Access is selected in response to TACACS request cause I have other "Access Services" created and default one is even deactivated.

even in log there is my vpn-access-rule selected

In your opinion this should work? I mean using Tacacs+ with Network Access service.

Can anyone confirm it?

regards

Correct Answer
jrabinow Wed, 08/11/2010 - 23:54

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

Przemyslaw Konitz Thu, 08/12/2010 - 00:07

thx for explaination

I was afraid that this was the case. So if ASA need to control command authorization and verify user credentials in vpn policy (with attributes for that vpn policy) I need to define 2 seperate AAA servers? First as tacacs and 2nd as RADIUS?

jrabinow Thu, 08/12/2010 - 00:29

Not sure if I follow the question. However, a single ACS server can be used to process both RADIUS and TACACS+ requests

This is in fact the sample services and selection rules that are provide upon product installation. Performs service selection according to the protocol and then selects either: "Default Device Admin" and "Default Network Access" accordingly

Przemyslaw Konitz Thu, 08/12/2010 - 00:51

I meant that in ASA I needed to define 2 aaa servers (one for tacacs and one for radius).

When integrating ASA with ACS4.2 I could use only tacacs server (for command authorization and vpn policy as well).

thx and regards

P

Actions

This Discussion

Related Content