05-15-2006 01:17 AM - edited 03-10-2019 02:35 PM
Hi,
I have a cisco secure ACS 3.3 solution Engineer server which i'm currently using as tacacs server for authenticating some network communication engineers who changes routing configs on the network. Now, i want to deploy 802.1x on the network and need to use the same server as a radius server. How can i achieve this.
Regds.,
Segun
05-15-2006 01:48 AM
Hi,
You can use the ACS3.3 box to do both TACACS+ and Radius authentication.
For 802.1x authentication, it can be applied for wired and wlan infrastructure devices.
Similar to TACACS+ configuration, you need to add the target network devices as AAA client with radius protocol.
Refer to the following url for 802.1x configuration both wired and wlan devices:
WLAN:
2. http://www.ciscotaccc.com/kaidara-advisor/wireless/showcase?case=K23706307
Switch:
ACS 3.3 Appliance - authentication:
Rgds,
AK
05-15-2006 04:01 AM
The golden rule is to make sure device admins are in their own group(s).
You then need NARs to prevent "vanilla" users from being able login to the routers.
So you could do this:
1) Create an NDG or NAF that contain the managed devices.
2) In the Admins ACS group add a "permitted" ip-based NAR allowing access to the "managed" devices
3) In all other groups add a very simple ip-based NAR that either permits nothing or denies everything.
Note that the ip-based NAR will have no effect to vanilla users doing 802.1x (A CLI/DNIS NAR would work there). However, if a non-admin tried to login to a router their group NAR would cause a reject.
Darran
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide