cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1034
Views
1
Helpful
4
Replies
Highlighted
Beginner

TACACS vs RADIUS in AAA

Can RADIUS be used for Device Administration on ISE?  Or is TACACS+ the only way to do AAA on ISE?

I have a system with Cisco and Alcatel devices, and Alcatel devices seem to prefer RADIUS for AAA.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: TACACS vs RADIUS in AAA

Hi Kevin,

Yes, you can use RADIUS for device admin but will have a lot of limitations when compared to TACACS+.  You will lack command authorization functionality if you use RADIUS.

Regards,

-Tim

4 REPLIES 4
Cisco Employee

Re: TACACS vs RADIUS in AAA

Hi Kevin,

Yes, you can use RADIUS for device admin but will have a lot of limitations when compared to TACACS+.  You will lack command authorization functionality if you use RADIUS.

Regards,

-Tim

Beginner

Re: TACACS vs RADIUS in AAA

I've been able to get authentication working through RADIUS on ISE 2.1, but it seems to be handled through the network access side, and not the device administration side.  On Alcatel devices, the authorization is normally handled through RADIUS, which is why I was hoping to get it working on that side.

Beginner

Re: TACACS vs RADIUS in AAA

I was able to get AUTHORIZATION working through TACACS+ to the Alcatel/Nokia devices.  I'll will be waiting for the ISE 2.2 beta to see if any of this is addressed in the new features.

Advocate

Re: TACACS vs RADIUS in AAA

Be sure to communicate with Cisco account team so they can work with product management on any specific gaps.  You have not clarified what specifically you are looking to be addressed in newer release.  The lack of command authorization and command accounting is not a limitation of ISE RADIUS implementation, but a limitation of standard RADIUS protocol.

ISE certainly supports standard RADIUS authentication and authorization. Some NADs may support specific attributes to control device admin privileges.  If not already loaded, these can be imported into ISE and returned as part of the RADIUS authorization to the device itself.  We separated TACACS+ under its own section and titled it "Device Admin" since that is primary use case for TACACS+.  However, it is true that some use RADIUS for Device Admin function, but that would be configured under original policy for RADIUS auth.  Many customers choose to create a Policy Set specific to RADIUS Device Admin which matches on NDG, RADIUS service type, or other discriminating attribute which is specific to device admin.

/Craig