Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1862
Views
0
Helpful
3
Replies

ISE 2.7 with Dot1x and Tacacs+

Desmond Lee
Level 1
Level 1

‎11-23-2020 09:56 AM

Hi, I am need to implement Dot1X and use Tacacs+ at the same time with a single machine ISE (version 2.7).  
Dot1x may need Radius, so it is possible for ISE to act as both Radius and Tacacs+ server with the same IP address? (highlighted in red below)

 

Sample partial configuration of my switch:

 

aaa new-model

!

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius local  // or can I change the keyword "radius" to "tacacs+" instead ?

!

dot1x system-auth-control
dot1x critical eapol

!

tacacs-server host 10.10.10.1 key 7 xxxxxxxxxx
radius-server host 10.10.10.1 key 7 xxxxxxxxxx

 

Thanks !

Desmond

1 person had this problem
0 Helpful
3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-23-2020 11:21 AM

Yes it is possible for ISE to act as both a radius/tacacs server.  802.1x uses eapol and radius, see here for deeper dive: Wired 802.1X Deployment Guide - Cisco.

Make sure you enable your NAD in ISE to support both radius & tacacs (Administration->Network Resources->Network Devices). Keep in mind too that different licenses are needed for unique features (base lic for AAA, dot1x & Tacacs license which enables device admin feature).  Use this for additional guidance: ISE & NAC Community Resources - Cisco Community HTH!

0 Helpful

Desmond Lee
Level 1
Level 1
In response to Mike.Cifelli

‎11-24-2020 07:10 AM

configuration wise any error with the below ? thanks.

 

aaa new-model

!

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius local  // or can I change the keyword "radius" to "tacacs+" instead ?

!

dot1x system-auth-control
dot1x critical eapol

!

tacacs-server host 10.10.10.1 key 7 xxxxxxxxxx
radius-server host 10.10.10.1 key 7 xxxxxxxxxx

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-24-2020 06:15 PM

I recommend testing your config in a lab environment.  There is more to the deployment in regard to the dot1x config.  As mentioned earlier, dot1x uses radius so this statement would remain using radius:

aaa authentication dot1x default group radius local  // or can I change the keyword "radius" to "tacacs+" instead ?

HTH!

0 Helpful
Customers Also Viewed These Support Documents