Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

ACS 4.0 authentications

Can a single ACS server be used for both TACACS and RADIUS authentication for a single device? For example on an access point I have TACACS pointed to a production 3.3 ACS server for admin authentication and RADIUS pointed to a lab 4.0 ACS server for VLAN assignment using RADIUS. Can I point both RADIUS and TACACS to the same server for both admin terminal auth and 802.1x auth? And segregate the access of each by the groups on ACS? These groups are dynamically mapped to windows domain groups also, if that matters any. If I point them both at the same ACS server it appears that all authenticated users are able to access the console/terminal.

Here's the aaa setup lines:

aaa new-model

aaa group server radius rad_eap

server 192.168.28.60 auth-port 1645 acct-port 1646

aaa group server tacacs+ tac_auth

server 192.168.28.54

aaa authentication login console line

aaa authentication login eap_methods group rad_eap

aaa authentication login admin_auth group tac_auth local enable

tacacs-server host 192.168.28.54

tacacs-server key 7 <removed>

radius-server host 192.168.28.60 auth-port 1645 acct-port 1646 key 7 <removed>

dot11 ssid <removed>

vlan 12

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa

line con 0

exec-timeout 0 0

login authentication admin_auth

password 7 <removed>

line vty 0 4

exec-timeout 0 0

password 7 <removed>

login authentication admin_auth

transport input ssh

line vty 5 15

password 7 <removed>

login authentication admin_auth

transport input ssh

3 REPLIES

Re: ACS 4.0 authentications

Yes, you can achieve this as ACS has both TACACS+ and Radius services running together.

On ACS, create/add the device under 2 different protocols (tacacs+ and radius). Assign a different name to differentiate the device with tacacs+ and radius, but maintai the same IP Address.

On your device, make sure you have aaa statement that point to tacacs+ and radius:

tacacs-server host 171.68.118.101

tacacs-server key cisco

radius-server host 171.68.118.101

radius-server key cisco

Hope this helps. Pls rate useful post(s).

AK

Re: ACS 4.0 authentications

For radius-server, you can either leave the it to use default value, or manually set the auth-port & acct-port to 1645/1646 or 1812/1813.

HTH

AK

New Member

Re: ACS 4.0 authentications

If I use TACACS for administration authentication and RADIUS for port authentication how do I keep RADIUS users from being able to log onto the console/telnet?

146
Views
0
Helpful
3
Replies
CreatePlease to create content