Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2062
Views
5
Helpful
3
Replies

Radius-Server & Tacacs-Server command - Order of Preference

Go to solution
snarayanaraju
Level 4
Level 4

‎09-27-2013 11:54 AM - edited ‎03-04-2019 09:10 PM

Hello Friends,

I know both the below command does the same AAA server reference. But i would like to know the order of Preference.

That is which one takes the priority? Radius-server command or Tacacs-Server command ?

radius-server host 192.168.1.1

tacacs-server host 192.168.1.2

Thanks in advance

SAIRAM

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jan Hrnko
Level 4
Level 4

‎09-28-2013 01:54 AM

Hi Sairam,

there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.

example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):

Router(config)#aaa new-model

Router(config)#aaa authentication login RADTAC group radius group tacacs+

Router(config)#aaa authorization exec RADTAC group radius group tacacs+

Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.

Best regards,

Jan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rolf Fischer
Level 9
Level 9

‎09-28-2013 01:08 AM

Hi,

I'm not sure if I understand the question correctly.

The order of methods is configured in the aaa-commands, e.g. authentication login:

aaa authentication login RADIUSFIRST group radius group tacacs+

aaa authentication login TACACSFIRST group tacacs+ group radius

If you have several authentication-servers of the same type for different purposes, you can define server groups:

tacacs-server host 192.168.1.1

tacacs-server host 172.16.1.1

aaa group server tacacs+ DIALIN

      server 192.168.1.1

aaa group server tacacs+ MGMT

      server 172.16.1.1

aaa authentication login CONSOLE group MGMT local

aaa authentication ppp DIALIN local

line con 0

     login authentication CONSOLE

Within a group (including the default groups) IOS searches for hosts in the order in which you specify them.

Cisco IOS Security Command Reference:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html

HTH

Rolf

Go to solution
Jan Hrnko
Level 4
Level 4

‎09-28-2013 01:54 AM

Hi Sairam,

there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.

example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):

Router(config)#aaa new-model

Router(config)#aaa authentication login RADTAC group radius group tacacs+

Router(config)#aaa authorization exec RADTAC group radius group tacacs+

Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.

Best regards,

Jan

0 Helpful

Go to solution
snarayanaraju
Level 4
Level 4
In response to Jan Hrnko

‎09-30-2013 02:21 PM

Thank you Jan & Rolf. It helped me and thanks for your time

SAIRAM

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card