I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
I am using the same approach to authenticate remote access clients and network admin in my Access Server.
"The trick is how to stop a non-admin user from being able login via T+ onto the device CLI ;)"
I'm just implementing aaa in our environment and have run into this issue. Is there a way in ACS to control this problem? I had to add the following authorization statement to the switch plus explicitly deny all shell access to unnecessary groups to prevent my active directory accounts from being able to log in...
In the instance of using group mapping to Active directory for Wireless user authentication, should it be the same to Deny the non-admin groups via CLI NAR to the all AAA Clients dropdown? Or should it be deny them via IP Based NAR to the AAA Clients dropdown.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...