04-08-2004 07:03 AM - edited 03-10-2019 07:44 AM
Hi,
Anybody know if its possible to have "login" and "network" users authenticating against 2 different Radius servers on a router? i.e. Sys admins auth against radius server 1 for logging in and ppp/network users auth against radius server 2. How is this achieved?
04-15-2004 06:17 AM
As far as my knowledge goes, this it is not possible.
04-30-2004 11:57 AM
If I understand your question correctly I am doing that on several routers with tacacs and it looks in the documentation like the same thing would work for radius.
The key concept is server groups in aaa. I define one group for admin login and point it at one server. I define a second group for network/ppp (user) and point it at other server. In aaa I define a special authentication method for admin and link it to the admin server group. I define the default authentication for login and link it to the user server group. On the vty ports I link them to the admin login method.
Key parts of the config:
aaa group server tacacs+ admin_TAC
server 192.168.1.1
!
aaa group server tacacs+ user_TAC
server 192.168.2.1
aaa authentication login default group user_TAC
aaa authentication login admin group admin_TAC line
aaa authentication ppp default if-needed group user_TAC
line vty 0 4
login authentication admin
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide