Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.1 - tacacs+ issue witch "network access" access services

hi everyone,

can anyone explain why tacacs+ can't be used with network access services?

ScreenShot147.jpg

I know that main purpose of tacacs is command authorization but as I remember with ACS 4.2 it was possible. For example for PPP purpose.

thx and regards

Przemek

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.1 - tacacs+ issue witch "network access" access servic

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

6 REPLIES
Cisco Employee

Re: ACS 5.1 - tacacs+ issue witch "network access" access servic

On ACS 5.x

Default Device Admin = Tacacs+

Default Network Access = Radius

This is determined by the service selection rules.  Without other information it appears that you tried to process a Tacacs request with the Default Network Access somehow.

New Member

Re: ACS 5.1 - tacacs+ issue witch "network access" access servic

thx for reply

I think this is not the case that Default Network Access is selected in response to TACACS request cause I have other "Access Services" created and default one is even deactivated.

even in log there is my vpn-access-rule selected

In your opinion this should work? I mean using Tacacs+ with Network Access service.

Can anyone confirm it?

regards

Cisco Employee

Re: ACS 5.1 - tacacs+ issue witch "network access" access servic

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

New Member

Re: ACS 5.1 - tacacs+ issue witch "network access" access servic

thx for explaination

I was afraid that this was the case. So if ASA need to control command authorization and verify user credentials in vpn policy (with attributes for that vpn policy) I need to define 2 seperate AAA servers? First as tacacs and 2nd as RADIUS?

Cisco Employee

Re: ACS 5.1 - tacacs+ issue witch "network access" access servic

Not sure if I follow the question. However, a single ACS server can be used to process both RADIUS and TACACS+ requests

This is in fact the sample services and selection rules that are provide upon product installation. Performs service selection according to the protocol and then selects either: "Default Device Admin" and "Default Network Access" accordingly

New Member

Re: ACS 5.1 - tacacs+ issue witch "network access" access servic

I meant that in ASA I needed to define 2 aaa servers (one for tacacs and one for radius).

When integrating ASA with ACS4.2 I could use only tacacs server (for command authorization and vpn policy as well).

thx and regards

P

1346
Views
0
Helpful
6
Replies