cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
324
Views
0
Helpful
1
Replies

Radius for AUTH TACACS for Accounting

benjmoor
Cisco Employee
Cisco Employee

Is it possible to do device management where the device would use Radius for authorization and then TACACS for accounting?  This was an ask by a customer because they feel the accounting functionality is far superior in TACACS compared to radius.

1 Reply 1

Arne Bier
VIP
VIP

Yes TACACS is real AAA for device authentication.  Radius is not bad if you don't want to spend the $$$ for TACACS license, or if you don't care about per command authorization etc. If customer is prepared to pay the ISE license for TACACS then why don't they just do the whole AAA with TACACS+, instead of just the Accounting part?  It's not an ISE question at all. Question is on the NAS side whether it can split these things off.  My guess would be no, because the TACACS accounting process would have no way of linking into the session data created by the Radius Authentication.  

The closest to this split brain stuff is IBNS 2.0 where the 802.1X auth can be done by Radius Group A, and MAB can be done by Radius group B.  But that was designed on purpose.