×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Using two ACS for two different authentication on one router

Unanswered Question
Oct 17th, 2006
User Badges:

I have a router with needs to be authenticated by two ACS Server for two different functions. Eg. for ISDN dialing into the router, it gets the authentication from ACS A. While for command authentications, the router needs to talk to ACS B. Can this be done. If yes, how?

Thanks,

sweeann

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ethiel Tue, 10/17/2006 - 20:55
User Badges:
  • Gold, 750 points or more

It sure can. You just need seperate groups for each. For example:


radius-server host 1.1.1.1 key secretkey

radius-server host 2.2.2.2 key secretkey

aaa group server radius consolegrp

server 1.1.1.1 auth-port 1812 acct-port 1813

aaa group server radius isdngrp

server 2.2.2.2 auth-port 1812 acct-port 1813


Then use the following:


aaa authentication login default group consolegrp

aaa authorization exec default group consolegrp

aaa authentication ppp default group isdngrp

You can change that as neccesary (e.g. change console to TACACS) but that is the general template for multiple server groups.


-Eric

sweeann Tue, 10/17/2006 - 23:15
User Badges:

Eric,


I believe that'll do the job. Thanks for the input.


-sweeann

darpotter Wed, 10/18/2006 - 02:36
User Badges:
  • Silver, 250 points or more

If you take a look at ACS v4.0 NAP (Network Access Profiles) you should be able to consolidate your ACSs down to a single server.


You can create a NAP for each service with its own config.


Maybe worth looking at.

Actions

This Discussion