11-17-2006 01:29 PM - edited 03-10-2019 02:50 PM
Can a single ACS server be used for both TACACS and RADIUS authentication for a single device? For example on an access point I have TACACS pointed to a production 3.3 ACS server for admin authentication and RADIUS pointed to a lab 4.0 ACS server for VLAN assignment using RADIUS. Can I point both RADIUS and TACACS to the same server for both admin terminal auth and 802.1x auth? And segregate the access of each by the groups on ACS? These groups are dynamically mapped to windows domain groups also, if that matters any. If I point them both at the same ACS server it appears that all authenticated users are able to access the console/terminal.
Here's the aaa setup lines:
aaa new-model
aaa group server radius rad_eap
server 192.168.28.60 auth-port 1645 acct-port 1646
aaa group server tacacs+ tac_auth
server 192.168.28.54
aaa authentication login console line
aaa authentication login eap_methods group rad_eap
aaa authentication login admin_auth group tac_auth local enable
tacacs-server host 192.168.28.54
tacacs-server key 7 <removed>
radius-server host 192.168.28.60 auth-port 1645 acct-port 1646 key 7 <removed>
dot11 ssid <removed>
vlan 12
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
line con 0
exec-timeout 0 0
login authentication admin_auth
password 7 <removed>
line vty 0 4
exec-timeout 0 0
password 7 <removed>
login authentication admin_auth
transport input ssh
line vty 5 15
password 7 <removed>
login authentication admin_auth
transport input ssh
11-17-2006 04:49 PM
Yes, you can achieve this as ACS has both TACACS+ and Radius services running together.
On ACS, create/add the device under 2 different protocols (tacacs+ and radius). Assign a different name to differentiate the device with tacacs+ and radius, but maintai the same IP Address.
On your device, make sure you have aaa statement that point to tacacs+ and radius:
tacacs-server host 171.68.118.101
tacacs-server key cisco
radius-server host 171.68.118.101
radius-server key cisco
Hope this helps. Pls rate useful post(s).
AK
11-17-2006 04:52 PM
For radius-server, you can either leave the it to use default value, or manually set the auth-port & acct-port to 1645/1646 or 1812/1813.
HTH
AK
11-20-2006 05:15 AM
If I use TACACS for administration authentication and RADIUS for port authentication how do I keep RADIUS users from being able to log onto the console/telnet?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide