×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Radius-Server & Tacacs-Server command - Order of Preference

Answered Question
Sep 27th, 2013
User Badges:

Hello Friends,


I know both the below command does the same AAA server reference. But i would like to know the order of Preference.


That is which one takes the priority? Radius-server command or Tacacs-Server command ?


radius-server host 192.168.1.1

tacacs-server host 192.168.1.2


Thanks in advance


SAIRAM

Correct Answer by Jan Hrnko about 3 years 10 months ago

Hi Sairam,


there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.


example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):


Router(config)#aaa new-model

Router(config)#aaa authentication login RADTAC group radius group tacacs+

Router(config)#aaa authorization exec RADTAC group radius group tacacs+


Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.


Best regards,

Jan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Rolf Fischer Sat, 09/28/2013 - 01:08
User Badges:
  • Blue, 1500 points or more

Hi,


I'm not sure if I understand the question correctly.

The order of methods is configured in the aaa-commands, e.g. authentication login:


aaa authentication login RADIUSFIRST group radius group tacacs+

aaa authentication login TACACSFIRST group tacacs+ group radius


If you have several authentication-servers of the same type for different purposes, you can define server groups:


tacacs-server host 192.168.1.1

tacacs-server host 172.16.1.1

aaa group server tacacs+ DIALIN

      server 192.168.1.1

aaa group server tacacs+ MGMT

      server 172.16.1.1

aaa authentication login CONSOLE group MGMT local

aaa authentication ppp DIALIN local

line con 0

     login authentication CONSOLE



Within a group (including the default groups) IOS searches for hosts in the order in which you specify them.

Cisco IOS Security Command Reference:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html


HTH

Rolf

Correct Answer
Jan Hrnko Sat, 09/28/2013 - 01:54
User Badges:
  • Silver, 250 points or more

Hi Sairam,


there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.


example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):


Router(config)#aaa new-model

Router(config)#aaa authentication login RADTAC group radius group tacacs+

Router(config)#aaa authorization exec RADTAC group radius group tacacs+


Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.


Best regards,

Jan

snarayanaraju Mon, 09/30/2013 - 14:21
User Badges:

Thank you Jan & Rolf. It helped me and thanks for your time


SAIRAM

Actions

This Discussion