https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453607#M536513 <HTML><HEAD></HEAD><BODY><P>Hi Kevin,</P><P></P><P>Yes, you can use RADIUS for device admin but will have a lot of limitations when compared to TACACS+.&nbsp; You will lack command authorization functionality if you use RADIUS.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Thu, 12 Jan 2017 18:16:45 GMT Timothy Abbott 2017-01-12T18:16:45Z https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453606#M536511 <HTML><HEAD></HEAD><BODY><P>Can RADIUS be used for Device Administration on ISE?&nbsp; Or is TACACS+ the only way to do AAA on ISE? </P><P></P><P>I have a system with Cisco and Alcatel devices, and Alcatel devices seem to prefer RADIUS for AAA. </P></BODY></HTML> Thu, 12 Jan 2017 18:02:13 GMT https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453606#M536511 kevin.mckee 2017-01-12T18:02:13Z https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453607#M536513 <HTML><HEAD></HEAD><BODY><P>Hi Kevin,</P><P></P><P>Yes, you can use RADIUS for device admin but will have a lot of limitations when compared to TACACS+.&nbsp; You will lack command authorization functionality if you use RADIUS.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Thu, 12 Jan 2017 18:16:45 GMT https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453607#M536513 Timothy Abbott 2017-01-12T18:16:45Z https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453608#M536514 <HTML><HEAD></HEAD><BODY><P>I've been able to get authentication working through RADIUS on ISE 2.1, but it seems to be handled through the network access side, and not the device administration side.&nbsp; On Alcatel devices, the authorization is normally handled through RADIUS, which is why I was hoping to get it working on that side.</P></BODY></HTML> Thu, 12 Jan 2017 18:34:36 GMT https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453608#M536514 kevin.mckee 2017-01-12T18:34:36Z https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453609#M536516 <HTML><HEAD></HEAD><BODY><P>I was able to get AUTHORIZATION working through TACACS+ to the Alcatel/Nokia devices.&nbsp; I'll will be waiting for the ISE 2.2 beta to see if any of this is addressed in the new features.</P></BODY></HTML> Fri, 13 Jan 2017 22:39:13 GMT https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453609#M536516 kevin.mckee 2017-01-13T22:39:13Z https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453610#M536518 <HTML><HEAD></HEAD><BODY><P>Be sure to communicate with Cisco account team so they can work with product management on any specific gaps.&nbsp; You have not clarified what specifically you are looking to be addressed in newer release.&nbsp; The lack of command authorization and command accounting is not a limitation of ISE RADIUS implementation, but a limitation of standard RADIUS protocol. </P><P></P><P>ISE certainly supports standard RADIUS authentication and authorization. Some NADs may support specific attributes to control device admin privileges.&nbsp; If not already loaded, these can be imported into ISE and returned as part of the RADIUS authorization to the device itself.&nbsp; We separated TACACS+ under its own section and titled it "Device Admin" since that is primary use case for TACACS+.&nbsp; However, it is true that some use RADIUS for Device Admin function, but that would be configured under original policy for RADIUS auth.&nbsp; Many customers choose to create a Policy Set specific to RADIUS Device Admin which matches on NDG, RADIUS service type, or other discriminating attribute which is specific to device admin.</P><P></P><P>/Craig</P></BODY></HTML> Tue, 17 Jan 2017 23:49:54 GMT https://community.cisco.com/t5/network-access-control/tacacs-vs-radius-in-aaa/m-p/3453610#M536518 Craig Hyps 2017-01-17T23:49:54Z