https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457576#M312444 <HTML><HEAD></HEAD><BODY><P>I meant that in ASA I needed to define 2 aaa servers (one for tacacs and one for radius).</P><P>When integrating ASA with ACS4.2 I could use only tacacs server (for command authorization and vpn policy as well).</P><P></P><P>thx and regards</P><P>P</P></BODY></HTML> Thu, 12 Aug 2010 07:51:41 GMT Przemyslaw Konitz 2010-08-12T07:51:41Z https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457570#M312438 <P>hi everyone,</P><P></P><P>can anyone explain why tacacs+ can't be used with network access services?</P><P></P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/4/8/3/6384-ScreenShot147.jpg" alt="ScreenShot147.jpg" class="jive-image-thumbnail jive-image" height="142" onclick="" width="463" /></P><P>I know that main purpose of tacacs is command authorization but as I remember with ACS 4.2 it was possible. For example for PPP purpose.</P><P></P><P>thx and regards</P><P></P><P>Przemek</P> Mon, 11 Mar 2019 00:19:28 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457570#M312438 Przemyslaw Konitz 2019-03-11T00:19:28Z https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457571#M312439 <HTML><HEAD></HEAD><BODY><P>On ACS 5.x </P><P>Default Device Admin = Tacacs+</P><P>Default Network Access = Radius</P><P></P><P>This is determined by the service selection rules.&nbsp; Without other information it appears that you tried to process a Tacacs request with the Default Network Access somehow.</P></BODY></HTML> Wed, 11 Aug 2010 20:45:17 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457571#M312439 michagar 2010-08-11T20:45:17Z https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457572#M312440 <HTML><HEAD></HEAD><BODY><P>thx for reply</P><P></P><P>I think this is not the case that Default Network Access is selected in response to TACACS request cause I have other "Access Services" created and default one is even deactivated.</P><P></P><P>even in log there is my vpn-access-rule selected</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/7/3/6370-ScreenShot152.jpg" class="jive-image" /></P><P></P><P>In your opinion this should work? I mean using Tacacs+ with Network Access service.</P><P></P><P>Can anyone confirm it?</P><P>regards</P></BODY></HTML> Thu, 12 Aug 2010 06:48:00 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457572#M312440 Przemyslaw Konitz 2010-08-12T06:48:00Z https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457573#M312441 <HTML><HEAD></HEAD><BODY><P><SPAN style="background-color: #f8fafd;">TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"</SPAN></P></BODY></HTML> Thu, 12 Aug 2010 06:54:54 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457573#M312441 jrabinow 2010-08-12T06:54:54Z https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457574#M312442 <HTML><HEAD></HEAD><BODY><P>thx for explaination</P><P></P><P>I was afraid that this was the case. So if ASA need to control command authorization and verify user credentials in vpn policy (with attributes for that vpn policy) I need to define 2 seperate AAA servers? First as tacacs and 2nd as RADIUS?</P></BODY></HTML> Thu, 12 Aug 2010 07:07:49 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457574#M312442 Przemyslaw Konitz 2010-08-12T07:07:49Z https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457575#M312443 <HTML><HEAD></HEAD><BODY><P>Not sure if I follow the question. However, a single ACS server can be used to process both RADIUS and TACACS+ requests</P><P></P><P>This is in fact the sample services and selection rules that are provide upon product installation. Performs service selection according to the protocol and then selects either: "Default Device Admin" and "Default Network Access" accordingly</P></BODY></HTML> Thu, 12 Aug 2010 07:29:41 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457575#M312443 jrabinow 2010-08-12T07:29:41Z https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457576#M312444 <HTML><HEAD></HEAD><BODY><P>I meant that in ASA I needed to define 2 aaa servers (one for tacacs and one for radius).</P><P>When integrating ASA with ACS4.2 I could use only tacacs server (for command authorization and vpn policy as well).</P><P></P><P>thx and regards</P><P>P</P></BODY></HTML> Thu, 12 Aug 2010 07:51:41 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-tacacs-issue-witch-quot-network-access-quot-access/m-p/1457576#M312444 Przemyslaw Konitz 2010-08-12T07:51:41Z