Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2328
Views
0
Helpful
6
Replies

ACS 5.1 - tacacs+ issue witch "network access" access services

Go to solution
Przemyslaw Konitz
Level 1
Level 1

‎08-11-2010 03:43 AM - edited ‎03-10-2019 05:19 PM

hi everyone,

can anyone explain why tacacs+ can't be used with network access services?

ScreenShot147.jpg

I know that main purpose of tacacs is command authorization but as I remember with ACS 4.2 it was possible. For example for PPP purpose.

thx and regards

Przemek

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to Przemyslaw Konitz

‎08-11-2010 11:54 PM

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

View solution in original post

0 Helpful
6 Replies 6

Go to solution
michagar
Cisco Employee
Cisco Employee

‎08-11-2010 01:45 PM

On ACS 5.x

Default Device Admin = Tacacs+

Default Network Access = Radius

This is determined by the service selection rules.  Without other information it appears that you tried to process a Tacacs request with the Default Network Access somehow.

0 Helpful

Go to solution
Przemyslaw Konitz
Level 1
Level 1
In response to michagar

‎08-11-2010 11:48 PM

thx for reply

I think this is not the case that Default Network Access is selected in response to TACACS request cause I have other "Access Services" created and default one is even deactivated.

even in log there is my vpn-access-rule selected

In your opinion this should work? I mean using Tacacs+ with Network Access service.

Can anyone confirm it?

regards

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Przemyslaw Konitz

‎08-11-2010 11:54 PM

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

0 Helpful

Go to solution
Przemyslaw Konitz
Level 1
Level 1
In response to jrabinow

‎08-12-2010 12:07 AM

thx for explaination

I was afraid that this was the case. So if ASA need to control command authorization and verify user credentials in vpn policy (with attributes for that vpn policy) I need to define 2 seperate AAA servers? First as tacacs and 2nd as RADIUS?

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Przemyslaw Konitz

‎08-12-2010 12:29 AM

Not sure if I follow the question. However, a single ACS server can be used to process both RADIUS and TACACS+ requests

This is in fact the sample services and selection rules that are provide upon product installation. Performs service selection according to the protocol and then selects either: "Default Device Admin" and "Default Network Access" accordingly

0 Helpful

Go to solution
Przemyslaw Konitz
Level 1
Level 1
In response to jrabinow

‎08-12-2010 12:51 AM

I meant that in ASA I needed to define 2 aaa servers (one for tacacs and one for radius).

When integrating ASA with ACS4.2 I could use only tacacs server (for command authorization and vpn policy as well).

thx and regards

P

0 Helpful
Customers Also Viewed These Support Documents