https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680911#M422419 <P>Can a single ACS server be used for both TACACS and RADIUS authentication for a single device? For example on an access point I have TACACS pointed to a production 3.3 ACS server for admin authentication and RADIUS pointed to a lab 4.0 ACS server for VLAN assignment using RADIUS. Can I point both RADIUS and TACACS to the same server for both admin terminal auth and 802.1x auth? And segregate the access of each by the groups on ACS? These groups are dynamically mapped to windows domain groups also, if that matters any. If I point them both at the same ACS server it appears that all authenticated users are able to access the console/terminal.</P><P></P><P>Here's the aaa setup lines:</P><P></P><P>aaa new-model</P><P>aaa group server radius rad_eap</P><P> server 192.168.28.60 auth-port 1645 acct-port 1646</P><P>aaa group server tacacs+ tac_auth</P><P> server 192.168.28.54</P><P>aaa authentication login console line</P><P>aaa authentication login eap_methods group rad_eap</P><P>aaa authentication login admin_auth group tac_auth local enable</P><P>tacacs-server host 192.168.28.54</P><P>tacacs-server key 7 &lt;removed&gt;</P><P>radius-server host 192.168.28.60 auth-port 1645 acct-port 1646 key 7 &lt;removed&gt;</P><P></P><P></P><P>dot11 ssid &lt;removed&gt;</P><P> vlan 12</P><P> authentication open eap eap_methods </P><P> authentication network-eap eap_methods </P><P> authentication key-management wpa</P><P></P><P></P><P>line con 0</P><P> exec-timeout 0 0</P><P> login authentication admin_auth</P><P>password 7 &lt;removed&gt;</P><P>line vty 0 4</P><P> exec-timeout 0 0</P><P> password 7 &lt;removed&gt;</P><P> login authentication admin_auth</P><P> transport input ssh</P><P>line vty 5 15</P><P> password 7 &lt;removed&gt;</P><P> login authentication admin_auth</P><P> transport input ssh</P> Sun, 10 Mar 2019 21:50:59 GMT David Niemann 2019-03-10T21:50:59Z https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680911#M422419 <P>Can a single ACS server be used for both TACACS and RADIUS authentication for a single device? For example on an access point I have TACACS pointed to a production 3.3 ACS server for admin authentication and RADIUS pointed to a lab 4.0 ACS server for VLAN assignment using RADIUS. Can I point both RADIUS and TACACS to the same server for both admin terminal auth and 802.1x auth? And segregate the access of each by the groups on ACS? These groups are dynamically mapped to windows domain groups also, if that matters any. If I point them both at the same ACS server it appears that all authenticated users are able to access the console/terminal.</P><P></P><P>Here's the aaa setup lines:</P><P></P><P>aaa new-model</P><P>aaa group server radius rad_eap</P><P> server 192.168.28.60 auth-port 1645 acct-port 1646</P><P>aaa group server tacacs+ tac_auth</P><P> server 192.168.28.54</P><P>aaa authentication login console line</P><P>aaa authentication login eap_methods group rad_eap</P><P>aaa authentication login admin_auth group tac_auth local enable</P><P>tacacs-server host 192.168.28.54</P><P>tacacs-server key 7 &lt;removed&gt;</P><P>radius-server host 192.168.28.60 auth-port 1645 acct-port 1646 key 7 &lt;removed&gt;</P><P></P><P></P><P>dot11 ssid &lt;removed&gt;</P><P> vlan 12</P><P> authentication open eap eap_methods </P><P> authentication network-eap eap_methods </P><P> authentication key-management wpa</P><P></P><P></P><P>line con 0</P><P> exec-timeout 0 0</P><P> login authentication admin_auth</P><P>password 7 &lt;removed&gt;</P><P>line vty 0 4</P><P> exec-timeout 0 0</P><P> password 7 &lt;removed&gt;</P><P> login authentication admin_auth</P><P> transport input ssh</P><P>line vty 5 15</P><P> password 7 &lt;removed&gt;</P><P> login authentication admin_auth</P><P> transport input ssh</P> Sun, 10 Mar 2019 21:50:59 GMT https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680911#M422419 David Niemann 2019-03-10T21:50:59Z https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680912#M422421 <HTML><HEAD></HEAD><BODY><P>Yes, you can achieve this as ACS has both TACACS+ and Radius services running together.</P><P></P><P>On ACS, create/add the device under 2 different protocols (tacacs+ and radius). Assign a different name to differentiate the device with tacacs+ and radius, but maintai the same IP Address.</P><P></P><P>On your device, make sure you have aaa statement that point to tacacs+ and radius:</P><P></P><P>tacacs-server host 171.68.118.101</P><P>tacacs-server key cisco</P><P>radius-server host 171.68.118.101</P><P>radius-server key cisco</P><P></P><P></P><P>Hope this helps. Pls rate useful post(s).</P><P>AK</P><P></P><P></P><P></P></BODY></HTML> Sat, 18 Nov 2006 00:49:47 GMT https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680912#M422421 a.kiprawih 2006-11-18T00:49:47Z https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680913#M422422 <HTML><HEAD></HEAD><BODY><P>For radius-server, you can either leave the it to use default value, or manually set the auth-port &amp; acct-port to 1645/1646 or 1812/1813.</P><P></P><P>HTH</P><P>AK</P><P></P><P></P></BODY></HTML> Sat, 18 Nov 2006 00:52:11 GMT https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680913#M422422 a.kiprawih 2006-11-18T00:52:11Z https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680914#M422423 <HTML><HEAD></HEAD><BODY><P>If I use TACACS for administration authentication and RADIUS for port authentication how do I keep RADIUS users from being able to log onto the console/telnet?</P></BODY></HTML> Mon, 20 Nov 2006 13:15:57 GMT https://community.cisco.com/t5/network-access-control/acs-4-0-authentications/m-p/680914#M422423 David Niemann 2006-11-20T13:15:57Z