Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
3
Replies

ACS 4.0 authentications

David Niemann
Level 3
Level 3

‎11-17-2006 01:29 PM - edited ‎03-10-2019 02:50 PM

Can a single ACS server be used for both TACACS and RADIUS authentication for a single device? For example on an access point I have TACACS pointed to a production 3.3 ACS server for admin authentication and RADIUS pointed to a lab 4.0 ACS server for VLAN assignment using RADIUS. Can I point both RADIUS and TACACS to the same server for both admin terminal auth and 802.1x auth? And segregate the access of each by the groups on ACS? These groups are dynamically mapped to windows domain groups also, if that matters any. If I point them both at the same ACS server it appears that all authenticated users are able to access the console/terminal.

Here's the aaa setup lines:

aaa new-model

aaa group server radius rad_eap

server 192.168.28.60 auth-port 1645 acct-port 1646

aaa group server tacacs+ tac_auth

server 192.168.28.54

aaa authentication login console line

aaa authentication login eap_methods group rad_eap

aaa authentication login admin_auth group tac_auth local enable

tacacs-server host 192.168.28.54

tacacs-server key 7 <removed>

radius-server host 192.168.28.60 auth-port 1645 acct-port 1646 key 7 <removed>

dot11 ssid <removed>

vlan 12

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

line con 0

exec-timeout 0 0

login authentication admin_auth

password 7 <removed>

line vty 0 4

exec-timeout 0 0

password 7 <removed>

login authentication admin_auth

transport input ssh

line vty 5 15

password 7 <removed>

login authentication admin_auth

transport input ssh

Labels:
0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎11-17-2006 04:49 PM

Yes, you can achieve this as ACS has both TACACS+ and Radius services running together.

On ACS, create/add the device under 2 different protocols (tacacs+ and radius). Assign a different name to differentiate the device with tacacs+ and radius, but maintai the same IP Address.

On your device, make sure you have aaa statement that point to tacacs+ and radius:

tacacs-server host 171.68.118.101

tacacs-server key cisco

radius-server host 171.68.118.101

radius-server key cisco

Hope this helps. Pls rate useful post(s).

AK

0 Helpful

a.kiprawih
Level 7
Level 7
In response to a.kiprawih

‎11-17-2006 04:52 PM

For radius-server, you can either leave the it to use default value, or manually set the auth-port & acct-port to 1645/1646 or 1812/1813.

HTH

AK

0 Helpful

David Niemann
Level 3
Level 3
In response to a.kiprawih

‎11-20-2006 05:15 AM

If I use TACACS for administration authentication and RADIUS for port authentication how do I keep RADIUS users from being able to log onto the console/telnet?

0 Helpful
Customers Also Viewed These Support Documents