https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454861#M312802 <P>Hi,</P><P></P><P>I have setup RADIUS authentication for Management AND network users, on my NM-WLC (running 5.2) against ACS 5.1</P><P></P><P>My Question is :-</P><P></P><P>For Admin users to login, I need to return "Service-Type=Administrative-User" in order for it to work.</P><P></P><P>Since the ACS sees all requests coming in from the same device (WLC) for Admin as well as Network users,</P><P>the way I am currently handling this is by creating a filter based on user-name</P><P></P><P>&nbsp;&nbsp;&nbsp; So, users that contain "admin" in their user-id, use one set of</P><P>&nbsp;&nbsp;&nbsp; Network Access Authorization Policy, which has an associated Authorization Profile, with RADIUS attributes.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Normal users, have a different "Network Access Authorization Policy Rule", with another Profile.</P><P></P><P></P><P>While this DOES WORK fine, I am still left wondering if there is a better way to do this, rather than create a rule,</P><P>based on user-name.</P><P></P><P>&nbsp;&nbsp; I could use TACACS+ for Management, but I dont think ACS&nbsp; allows the same AAA client (WLC) to use both protocols.</P><P></P><P></P><P>Thanks</P> Mon, 11 Mar 2019 00:13:52 GMT shahedvoicerite 2019-03-11T00:13:52Z https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454861#M312802 <P>Hi,</P><P></P><P>I have setup RADIUS authentication for Management AND network users, on my NM-WLC (running 5.2) against ACS 5.1</P><P></P><P>My Question is :-</P><P></P><P>For Admin users to login, I need to return "Service-Type=Administrative-User" in order for it to work.</P><P></P><P>Since the ACS sees all requests coming in from the same device (WLC) for Admin as well as Network users,</P><P>the way I am currently handling this is by creating a filter based on user-name</P><P></P><P>&nbsp;&nbsp;&nbsp; So, users that contain "admin" in their user-id, use one set of</P><P>&nbsp;&nbsp;&nbsp; Network Access Authorization Policy, which has an associated Authorization Profile, with RADIUS attributes.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Normal users, have a different "Network Access Authorization Policy Rule", with another Profile.</P><P></P><P></P><P>While this DOES WORK fine, I am still left wondering if there is a better way to do this, rather than create a rule,</P><P>based on user-name.</P><P></P><P>&nbsp;&nbsp; I could use TACACS+ for Management, but I dont think ACS&nbsp; allows the same AAA client (WLC) to use both protocols.</P><P></P><P></P><P>Thanks</P> Mon, 11 Mar 2019 00:13:52 GMT https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454861#M312802 shahedvoicerite 2019-03-11T00:13:52Z https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454862#M312803 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can use RADIUS and TACACS at the same time, without any problems (I have done it my self several times), you can then use different service selection rules based on whether the request came via RADIUS or TACACS.&nbsp; The limitation of only supporting RADIUS OR TACACS on applies to v4.2 and earlier.</P><P></P><P>Rgds,</P><P></P><P>Richard</P></BODY></HTML> Mon, 05 Jul 2010 15:30:33 GMT https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454862#M312803 Richard Atkin 2010-07-05T15:30:33Z https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454863#M312804 <HTML><HEAD></HEAD><BODY><P>Thanks. Earlier I was trying to add the same client twice with different protocols.</P><P></P><P>Just tried checking both checkboxes (radius &amp; tacacs+), for a single aaa client, and it let me do that.</P><P></P><P></P><P>So I guess I *CAN* use TACACS+ for Management and RADIUS for Network users....</P><P></P><P>&nbsp;&nbsp;&nbsp; But is that the way its normally done ?</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; What if I only wanted to use RADIUS only ?</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Is there a better way to distinguish between Management and network users ??</P><P></P><P></P><P>Thanks</P></BODY></HTML> Mon, 05 Jul 2010 15:36:59 GMT https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454863#M312804 shahedvoicerite 2010-07-05T15:36:59Z https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454864#M312805 <HTML><HEAD></HEAD><BODY><P>I think this is a very common way for things to be done</P><P></P><P>You may notice that out of the box ACS 5 comes preinstalled with a service selection policy that differentiates requests based on the protocol and directs either to a "Default Network Access" or "Default Device Admin" service</P><P></P><P>If you only want to do RADIUS can either disable or delete the rule for TACACS+ requests or not select TACACS+ in device definitions</P></BODY></HTML> Tue, 06 Jul 2010 06:29:58 GMT https://community.cisco.com/t5/network-access-control/wlc-with-acs-5-1-radius-for-management-and-network-users/m-p/1454864#M312805 jrabinow 2010-07-06T06:29:58Z