topic Re: Difference between ise in c9800 in Wireless

Difference between ise in c9800

Leftz — Thu, 27 Apr 2023 15:46:32 GMT

Hi, In C9800 wlc system, we can see radius configuration with ise, but in other cases, we can see they use tacacs instead of radius. In 9800 system, what is difference between radius and tacacs? Thanks

Re: Difference between ise in c9800

Mark Elsen — Thu, 27 Apr 2023 16:27:38 GMT

- FYI : https://www.google.com/search?q=what+is+the+difference+between+radius+and+tacacs&rlz=1C1CHZL_enBE751BE751&oq=what+is++the+difference+between+radius+and+tacacs&aqs=chrome..69i57j0i512j0i22i30l5j69i64.6831j0j7&sourceid=chrome&ie=UTF-8

Re: Difference between ise in c9800

Scott Fella — Thu, 27 Apr 2023 16:43:46 GMT

I think you need to understand why you might use TACACS for vs Radius, which is typically used these for user access. Back in the day's radius was used for network device access until TACACS was born. There are still networks out there that use radius for network device access, because they don't have a AAA server that supports TACACS. Hope that somewhat clarifies your question.

Re: Difference between ise in c9800

Rich R — Fri, 28 Apr 2023 13:52:36 GMT

Cisco devices normally use TACACS to authenticate and authorise user access to the device itself - device management.
TACACS is a Cisco proprietary protocol (so mostly only used by Cisco devices) but Cisco did release the code for it so a few other vendors have released server and client support for it in a limited way.

Radius is a standard used right across networking. It can be used for management access (like TACACS) but on Cisco devices it is mostly used for user access authentication and management eg. WiFi users, remote access users etc.

Re: Difference between ise in c9800

Leftz — Fri, 28 Apr 2023 16:24:25 GMT

Thanks for your reply!

Now the c9800 wlc is using Radius. If we change it to TACACS, what do we need to do? just setup TACACS and remove Radius?

Re: Difference between ise in c9800

Rich R — Fri, 28 Apr 2023 16:39:29 GMT

Not necessarily - it depends what it's using the radius for. For example if you're using it to authenticate an 802.1x WLAN you can't remove it. But if you're using it to authenticate management users then yes you could replace it with TACACS. You'll also have to make sure the ISE server is correctly configured. When you're sure TACACS is working then you could remove the radius.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

Re: Difference between ise in c9800

Scott Fella — Sat, 29 Apr 2023 12:51:16 GMT

Please make sure you understand the configuration before you change anything. You just need to review ISE and TACACS configuration documentation so you can follow how your setup is and what it is doing. Then understand how ISE radius is used to authenticate clients. Then and only then you will be able to understand the current policies defined.

Re: Difference between ise in c9800

Leftz — Mon, 01 May 2023 18:23:45 GMT

@Rich R and @Scott Fella Thanks for your comments. The below document is talking about radius/tacacs and wlc configuration. Based on the document, the two server radius and tacacs need to be configured at ISE. There are some same features that the two servers own. My question is when WLC need the same feature, which server(Radius or tacacs) would provide the function?

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

Re: Difference between ise in c9800

Rich R — Mon, 01 May 2023 19:59:54 GMT

TACACS is generally the first choice for management user authentication on Cisco devices.
RADIUS is the standard for client access authentication across networks generally.
And when I say authentication I actually mean AAA - authentication, authorisation and accounting.

Re: Difference between ise in c9800

Leftz — Mon, 01 May 2023 21:29:50 GMT

I am not asking the difference of the two server at this moment. Instead, I would like to know when both servers Radius/TACACS are installed and configured at same ISE/WLC, if a device request the same service feature that the two servers own, which server will respond to it? Is there a mechanism to handle the issue? Or only one of the two server can be selected?

Re: Difference between ise in c9800

Rich R — Mon, 01 May 2023 22:16:52 GMT

Well you can configure primary and fallback options with aaa config so it might be possible but I really would not recommend ever doing that. But if you did that then they'd be selected in the order you configure them to be used.

Re: Difference between ise in c9800

Leftz — Tue, 09 May 2023 15:33:40 GMT

Thank you very much for your reply. It make sense.

"Not necessarily - it depends what it's using the radius for. For example if you're using it to authenticate an 802.1x WLAN you can't remove it. But if you're using it to authenticate management users then yes you could replace it with TACACS ..."

Our system uses 802.1x radius for users, so we cannot remove radiius.

"Well you can configure primary and fallback options with aaa config so it might be possible but I really would not recommend ever doing that. But if you did that then they'd be selected in the order you configure them to be used. "

Regarding the order we selected, I think you mean AireOS, but looks like we do not have the function at catalyst 9800. so when both Radisu and tacacs co-exist in c9800, there should be a mechanism to control/decide which one(Radius or tacacs) to take care of users authentication and authorization

Re: Difference between ise in c9800

Rich R — Tue, 02 May 2023 14:24:15 GMT

Please refer back to the answers already provided.

Re: Difference between ise in c9800

Leftz — Tue, 09 May 2023 15:33:14 GMT

I changed the previous post after i reviewed the question

Our system uses 802.1x radius for users, so we cannot remove radiius.

Re: Difference between ise in c9800

Rich R — Tue, 09 May 2023 15:53:58 GMT

> but looks like we do not have the function at catalyst 9800.
IOS aaa config allows to specify multiple groups so you should be able to use both in order of preference. eg:
aaa authentication login default group mytacacs group myradius local