Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS. 802.1x, Tacacs and Radius


I think i have a simple question: I wan't do activate 802.1x on our siwtches(about 800 devices: 6500,3500,3600,4500,...). We use for telnet Tacacs for authentication,authorization and accounting. For 802.1x i need to configure raidius on the switches. So my question is: Can i run Radius and Tacacs

for the same device or do i have to cahnge the telnet-authenticatoin/authorization to Radius. In the NetworkDeviceGroup configuration on ACS4.1 i can only define Tacacs or Radius for the authentication type for one device.


Re: ACS. 802.1x, Tacacs and Radius

Yes you can run RADIUS and TACACS+ in parallel.

In the ACS network config db you need to enter each device twice - once for each protocol.

New Member

Re: ACS. 802.1x, Tacacs and Radius

TACACS+ is better recomended, due to better accounting, authorization and the ENCRYPTION it uses for communication, where as RADIUS is plain/clear text algorithm.

Since you are using TELNET which is total clear text, then using TACACS provides you some security through its encyption., I would prefer TACACS over RADIUS Since you have all Cisco based network.

New Member

Re: ACS. 802.1x, Tacacs and Radius


I know, this is the reason why i am useing tacacs. But can i use Tacacs in combination with 802.1x and/or NAC??


Re: ACS. 802.1x, Tacacs and Radius

No you cant use TACACS+ for NAC and 802.1x.

...and NAC over RADIUS *IS* encrypted. The entire exchange occurs inside a tunnel which just happens to be carried over RADIUS.

EAP-FAST/EAP-PEAP both use encrypted tunnels for their protocols.

T+ is still king for device admin or any network service that uses/needs good/flexible authorisation. For everything else there's RADIUS.