Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
10
Helpful
6
Replies

Authenticating against RADIUS *AND* TACACS

aho
Level 1
Level 1

‎05-14-2006 04:27 PM - edited ‎03-10-2019 02:35 PM

G'day...

Toys:

Cisco Secure ACS 3.2

Cisco 1242 Access Points

I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.

The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.

Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?

Cheers,

Andrew.

Labels:
0 Helpful
6 Replies 6

a.kiprawih
Level 7
Level 7

‎05-14-2006 09:29 PM

Hi,

The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.

If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.

I am using the same approach to authenticate remote access clients and network admin in my Access Server.

Rgds,

AK

aho
Level 1
Level 1
In response to a.kiprawih

‎05-14-2006 09:52 PM

Thanks for that...

Sounds like the way I did it is how it's supposed to be done. Just checking that there wasn't a more elegant and "neater" solution than having two entries for the one AAA client!

Thanks again :)

Andrew.

0 Helpful

darpotter
Level 5
Level 5
In response to aho

‎05-15-2006 03:53 AM

This is indeed the way it should be done - in that sense you can think of RADIUS & TACACS+ as being two interfaces on the same same device.

Many people use a naming convention (eg device_R or _T) to distinquish between the two.

The trick is how to stop a non-admin user from being able login via T+ onto the device CLI ;)

Darran

0 Helpful

ben.bass0
Level 1
Level 1
In response to darpotter

‎06-02-2006 06:01 AM

"The trick is how to stop a non-admin user from being able login via T+ onto the device CLI ;)"

I'm just implementing aaa in our environment and have run into this issue. Is there a way in ACS to control this problem? I had to add the following authorization statement to the switch plus explicitly deny all shell access to unnecessary groups to prevent my active directory accounts from being able to log in...

aaa authorization exec default group tacacs local

0 Helpful

darpotter
Level 5
Level 5
In response to ben.bass0

‎06-06-2006 02:03 AM

Hi, yes it can be done.

The key is that ACS has two types of NAR:

IP Based NAR - used mainly by T+ (L3)

CLI/DNIS NAR - used mainly by RADIUS (L2)

The names were poorly chosen as they are in effect layer 2 and layer 3 filters.

So in your non-admin groups add an IP NAR that denies everything or permits nothing. This will prevent a dial/wlan/vpn/etc user being able to login a device

et voila :)

Darran

0 Helpful

jvr775
Level 1
Level 1
In response to darpotter

‎07-30-2006 07:39 PM

Darran,

In the instance of using group mapping to Active directory for Wireless user authentication, should it be the same to Deny the non-admin groups via CLI NAR to the all AAA Clients dropdown? Or should it be deny them via IP Based NAR to the AAA Clients dropdown.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents