Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
0
Helpful
1
Replies

Radius for AUTH TACACS for Accounting

benjmoor
Cisco Employee
Cisco Employee

‎03-25-2019 11:45 AM

Is it possible to do device management where the device would use Radius for authorization and then TACACS for accounting?  This was an ask by a customer because they feel the accounting functionality is far superior in TACACS compared to radius.

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎03-25-2019 02:46 PM

Yes TACACS is real AAA for device authentication.  Radius is not bad if you don't want to spend the $$$ for TACACS license, or if you don't care about per command authorization etc. If customer is prepared to pay the ISE license for TACACS then why don't they just do the whole AAA with TACACS+, instead of just the Accounting part?  It's not an ISE question at all. Question is on the NAS side whether it can split these things off.  My guess would be no, because the TACACS accounting process would have no way of linking into the session data created by the Radius Authentication.  

The closest to this split brain stuff is IBNS 2.0 where the 802.1X auth can be done by Radius Group A, and MAB can be done by Radius group B.  But that was designed on purpose.

0 Helpful
Customers Also Viewed These Support Documents