Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Radius-Server & Tacacs-Server command - Order of Preference

Hello Friends,

I know both the below command does the same AAA server reference. But i would like to know the order of Preference.

That is which one takes the priority? Radius-server command or Tacacs-Server command ?

radius-server host 192.168.1.1

tacacs-server host 192.168.1.2

Thanks in advance

SAIRAM

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Radius-Server & Tacacs-Server command - Order of Preference

Hi Sairam,

there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.

example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):

Router(config)#aaa new-model

Router(config)#aaa authentication login RADTAC group radius group tacacs+

Router(config)#aaa authorization exec RADTAC group radius group tacacs+

Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.

Best regards,

Jan

3 REPLIES

Re: Radius-Server & Tacacs-Server command - Order of Preference

Hi,

I'm not sure if I understand the question correctly.

The order of methods is configured in the aaa-commands, e.g. authentication login:

aaa authentication login RADIUSFIRST group radius group tacacs+

aaa authentication login TACACSFIRST group tacacs+ group radius

If you have several authentication-servers of the same type for different purposes, you can define server groups:

tacacs-server host 192.168.1.1

tacacs-server host 172.16.1.1

aaa group server tacacs+ DIALIN

      server 192.168.1.1

aaa group server tacacs+ MGMT

      server 172.16.1.1

aaa authentication login CONSOLE group MGMT local

aaa authentication ppp DIALIN local

line con 0

     login authentication CONSOLE

Within a group (including the default groups) IOS searches for hosts in the order in which you specify them.

Cisco IOS Security Command Reference:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html

HTH

Rolf

Silver

Re: Radius-Server & Tacacs-Server command - Order of Preference

Hi Sairam,

there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.

example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):

Router(config)#aaa new-model

Router(config)#aaa authentication login RADTAC group radius group tacacs+

Router(config)#aaa authorization exec RADTAC group radius group tacacs+

Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.

Best regards,

Jan

Community Member

Radius-Server & Tacacs-Server command - Order of Preference

Thank you Jan & Rolf. It helped me and thanks for your time

SAIRAM

567
Views
5
Helpful
3
Replies
CreatePlease to create content