Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5183
Views
19
Helpful
8
Replies

802.1x and TACACS+

MITCH JOHNSON
Level 1
Level 1

‎08-25-2006 03:55 AM - edited ‎03-10-2019 02:43 PM

I use the ACS box mainly for AAA on the switches and routers using tacacs. Now we're looking at the possibility of using 802.1x, my early reading tell me I have to use RADIUS, but I'm using TACACS, can I have ttow different methods of authentication on the same switch/router?

Any help would be greatly appreciated.

Thanks.

Labels:
0 Helpful
8 Replies 8

akemp
Level 5
Level 5

‎08-25-2006 04:21 AM

Yes you can. You specify which interfaces use which protocol in what order.

jafrazie
Cisco Employee
Cisco Employee

‎08-25-2006 04:39 AM

Yes, you have to run RADIUS for 1X, but you can enable both just fine.

MITCH JOHNSON
Level 1
Level 1
In response to jafrazie

‎08-25-2006 05:07 AM

Is there an example config where both are shown? Each time I add a radius command it erases a radius command, but then I am doing the defaults and nothing specific.

Thanks.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to MITCH JOHNSON

‎08-25-2006 07:07 AM

Not sure what you mean, but here's an example with 2 servers:

aaa group server tacacs+ mgmt_access

server 10.10.10.2

server 10.10.10.3

aaa group server radius dot1x_access

server 10.10.10.2

server 10.10.10.3

aaa authentication login VTY group mgmt_access enable

aaa authentication dot1x DOT1X group dot1x_access

pbunet
Level 1
Level 1

‎09-28-2006 03:57 AM

Hi ,

Yes you can have different authentication methods on the same router/switch .

In case if you need to configure 802.1x you can simply add the 802.1x commands as they will not interfare in the working of your tacacs authentication .

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html

If you want to configure radius for login authentication along with exsisting Tacacs then you need to configure method list .

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html#wp1000906

Regards,

Puneet

0 Helpful

Wilson Samuel
Level 7
Level 7
In response to pbunet

‎01-24-2007 07:54 AM

Hi Puneet,

I'm also stuck with the same problem. I understand that a Router/Switch could be configured to use both the protocols get authenticated, however I don't see if the same is possible with any of the ACS Servers?

Or in other words, if I have to use the dot1x and the TACACS for enable purposes, I have to use 2 differnt ACS Servers, one with RADIUS and second with the TACACS+ protocol.

Plesae correct me if I'm wrong.

Regards,

Wilson Samuel

0 Helpful

MITCH JOHNSON
Level 1
Level 1
In response to Wilson Samuel

‎01-24-2007 08:51 AM

You do have to have two entries in the ACS box. So here's how I did it, I named one entry switch1 and the other entry switch1-radius. On the switch1 I selected tacacs on the switch1-radius I selected RADIUS (CISCO IOS PIX).

Restarted the service and it didn't complain a bit and it works fine.

Wilson Samuel
Level 7
Level 7
In response to MITCH JOHNSON

‎01-24-2007 09:59 AM

Wow.. such a simple thing never clicked in my brain.. Thanks a lot!!!

0 Helpful
Customers Also Viewed These Support Documents