03-14-2009 10:18 PM - edited 03-10-2019 04:23 PM
Hi
I am presently using acs v4 is there any way that I could configure a device to authenticate using tacacs and radius to gether in acs ,
03-16-2009 06:03 AM
On the ACS side there is nothing to stop you entering the same device twice - for RADIUS and for TACACS+.
03-16-2009 06:38 AM
hi
tks for the reply
how can i do this in acs
best regards
muralee
03-16-2009 08:46 AM
Muralee
We could give you better advice if we understood more about your environment and about what you are really trying to accomplish.
I have configured routers doing dial access where the dial access PPP sessions authenticate to Radius and the sessions to the VTY authenticate to TACACS. Are you trying to accomplish something like that?
It would also be possible to set up a router so that the VTY authenticate to Radius and the console authenticates to TACACS if you wanted that. Or it should work if you want to configure authentication using the radius group as primary and use the tacacs group as backup if the radius method fails.
What can you tell us about what your requirements are?
HTH
Rick
03-16-2009 01:14 PM
You can add same NAS for radius and tacacs but host name has to be different.
Example
Host Name IP Authenticate using
NAS1 4.1.1.1 Radius
NAS2 4.1.1.1 Tacacs
Regards,
~JG
Do rate helpful posts
03-17-2009 12:31 AM
Hi
My requirment is add a single device in acs v4 to authenticate using radius and tacacs
device 1.1.1.1
for ppp we will be using radius
for telnet and ssh login we will use tacacs
in the nas I have done the config but not sure how to do it in acs.
based on these can you advice something?
tks a lot
muralee
03-17-2009 02:07 AM
So in the ACS network config you add 2 NASes (or should that be NASi?)
One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
Suggest you first take time to scan through the ACS docs.
03-17-2009 07:42 AM
Simply add nas
1
Name--->device
IP ----> 1.1.1.1
secret---->xxxxx
Authenticate using --->Radius IETF
2
Name--->device1
IP ----->1.1.1.1
secret ----->x.x.x.x
Authenticate using---->tacacs IOS
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide