Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

AAA Authentication query

Hi,

Anybody know if its possible to have "login" and "network" users authenticating against 2 different Radius servers on a router? i.e. Sys admins auth against radius server 1 for logging in and ppp/network users auth against radius server 2. How is this achieved?

2 REPLIES
Silver

Re: AAA Authentication query

As far as my knowledge goes, this it is not possible.

Hall of Fame Super Gold

Re: AAA Authentication query

If I understand your question correctly I am doing that on several routers with tacacs and it looks in the documentation like the same thing would work for radius.

The key concept is server groups in aaa. I define one group for admin login and point it at one server. I define a second group for network/ppp (user) and point it at other server. In aaa I define a special authentication method for admin and link it to the admin server group. I define the default authentication for login and link it to the user server group. On the vty ports I link them to the admin login method.

Key parts of the config:

aaa group server tacacs+ admin_TAC

server 192.168.1.1

!

aaa group server tacacs+ user_TAC

server 192.168.2.1

aaa authentication login default group user_TAC

aaa authentication login admin group admin_TAC line

aaa authentication ppp default if-needed group user_TAC

line vty 0 4

login authentication admin

Rick

316
Views
0
Helpful
2
Replies
CreatePlease to create content