Re: ACS. 802.1x, Tacacs and Radius

dbelno · ‎08-16-2007

Hi

I think i have a simple question: I wan't do activate 802.1x on our siwtches(about 800 devices: 6500,3500,3600,4500,...). We use for telnet Tacacs for authentication,authorization and accounting. For 802.1x i need to configure raidius on the switches. So my question is: Can i run Radius and Tacacs

for the same device or do i have to cahnge the telnet-authenticatoin/authorization to Radius. In the NetworkDeviceGroup configuration on ACS4.1 i can only define Tacacs or Radius for the authentication type for one device.

darpotter · ‎08-16-2007

Yes you can run RADIUS and TACACS+ in parallel.

In the ACS network config db you need to enter each device twice - once for each protocol.

fawadnoorkhan · ‎08-16-2007

TACACS+ is better recomended, due to better accounting, authorization and the ENCRYPTION it uses for communication, where as RADIUS is plain/clear text algorithm.

Since you are using TELNET which is total clear text, then using TACACS provides you some security through its encyption., I would prefer TACACS over RADIUS Since you have all Cisco based network.

dbelno · ‎08-16-2007

Hallo

I know, this is the reason why i am useing tacacs. But can i use Tacacs in combination with 802.1x and/or NAC??

darpotter · ‎08-17-2007

No you cant use TACACS+ for NAC and 802.1x.

...and NAC over RADIUS *IS* encrypted. The entire exchange occurs inside a tunnel which just happens to be carried over RADIUS.

EAP-FAST/EAP-PEAP both use encrypted tunnels for their protocols.

T+ is still king for device admin or any network service that uses/needs good/flexible authorisation. For everything else there's RADIUS.