cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2329
Views
0
Helpful
6
Replies

ACS 5.1 - tacacs+ issue witch "network access" access services

hi everyone,

can anyone explain why tacacs+ can't be used with network access services?

ScreenShot147.jpg

I know that main purpose of tacacs is command authorization but as I remember with ACS 4.2 it was possible. For example for PPP purpose.

thx and regards

Przemek

1 Accepted Solution

Accepted Solutions

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

View solution in original post

6 Replies 6

michagar
Cisco Employee
Cisco Employee

On ACS 5.x

Default Device Admin = Tacacs+

Default Network Access = Radius

This is determined by the service selection rules.  Without other information it appears that you tried to process a Tacacs request with the Default Network Access somehow.

thx for reply

I think this is not the case that Default Network Access is selected in response to TACACS request cause I have other "Access Services" created and default one is even deactivated.

even in log there is my vpn-access-rule selected

In your opinion this should work? I mean using Tacacs+ with Network Access service.

Can anyone confirm it?

regards

TACACS+ requests can only be handled by access services with the Service Type set to "Device Administration".

If type is NetworkAccess it will fail. Please check the Service Type defined for the Access Service "VPM-access"

thx for explaination

I was afraid that this was the case. So if ASA need to control command authorization and verify user credentials in vpn policy (with attributes for that vpn policy) I need to define 2 seperate AAA servers? First as tacacs and 2nd as RADIUS?

Not sure if I follow the question. However, a single ACS server can be used to process both RADIUS and TACACS+ requests

This is in fact the sample services and selection rules that are provide upon product installation. Performs service selection according to the protocol and then selects either: "Default Device Admin" and "Default Network Access" accordingly

I meant that in ASA I needed to define 2 aaa servers (one for tacacs and one for radius).

When integrating ASA with ACS4.2 I could use only tacacs server (for command authorization and vpn policy as well).

thx and regards

P