Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tacacs+ server as Radius server

Hi,

I have a cisco secure ACS 3.3 solution Engineer server which i'm currently using as tacacs server for authenticating some network communication engineers who changes routing configs on the network. Now, i want to deploy 802.1x on the network and need to use the same server as a radius server. How can i achieve this.

Regds.,

Segun

2 REPLIES

Re: Tacacs+ server as Radius server

Silver

Re: Tacacs+ server as Radius server

The golden rule is to make sure device admins are in their own group(s).

You then need NARs to prevent "vanilla" users from being able login to the routers.

So you could do this:

1) Create an NDG or NAF that contain the managed devices.

2) In the Admins ACS group add a "permitted" ip-based NAR allowing access to the "managed" devices

3) In all other groups add a very simple ip-based NAR that either permits nothing or denies everything.

Note that the ip-based NAR will have no effect to vanilla users doing 802.1x (A CLI/DNIS NAR would work there). However, if a non-admin tried to login to a router their group NAR would cause a reject.

Darran

114
Views
0
Helpful
2
Replies
CreatePlease login to create content