Re: Tacacs+ server as Radius server

o.oresotu · ‎05-15-2006

Hi,

I have a cisco secure ACS 3.3 solution Engineer server which i'm currently using as tacacs server for authenticating some network communication engineers who changes routing configs on the network. Now, i want to deploy 802.1x on the network and need to use the same server as a radius server. How can i achieve this.

Regds.,

Segun

a.kiprawih · ‎05-15-2006

Hi,

You can use the ACS3.3 box to do both TACACS+ and Radius authentication.

For 802.1x authentication, it can be applied for wired and wlan infrastructure devices.

Similar to TACACS+ configuration, you need to add the target network devices as AAA client with radius protocol.

Refer to the following url for 802.1x configuration both wired and wlan devices:

WLAN:

1. http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml

2. http://www.ciscotaccc.com/kaidara-advisor/wireless/showcase?case=K23706307

3. http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

Switch:

1. Cat2950: http://www.cisco.com/en/US/partner/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8c4.html

2. Cat3550: http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html

3. Cat4500: http://www.cisco.com/en/US/partner/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddb8.html

ACS 3.3 Appliance - authentication:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361c.html

Rgds,

AK

darpotter · ‎05-15-2006

The golden rule is to make sure device admins are in their own group(s).

You then need NARs to prevent "vanilla" users from being able login to the routers.

So you could do this:

1) Create an NDG or NAF that contain the managed devices.

2) In the Admins ACS group add a "permitted" ip-based NAR allowing access to the "managed" devices

3) In all other groups add a very simple ip-based NAR that either permits nothing or denies everything.

Note that the ip-based NAR will have no effect to vanilla users doing 802.1x (A CLI/DNIS NAR would work there). However, if a non-admin tried to login to a router their group NAR would cause a reject.

Darran