Anybody know if its possible to have "login" and "network" users authenticating against 2 different Radius servers on a router? i.e. Sys admins auth against radius server 1 for logging in and ppp/network users auth against radius server 2. How is this achieved?
If I understand your question correctly I am doing that on several routers with tacacs and it looks in the documentation like the same thing would work for radius.
The key concept is server groups in aaa. I define one group for admin login and point it at one server. I define a second group for network/ppp (user) and point it at other server. In aaa I define a special authentication method for admin and link it to the admin server group. I define the default authentication for login and link it to the user server group. On the vty ports I link them to the admin login method.
Key parts of the config:
aaa group server tacacs+ admin_TAC
aaa group server tacacs+ user_TAC
aaa authentication login default group user_TAC
aaa authentication login admin group admin_TAC line
aaa authentication ppp default if-needed group user_TAC
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...