cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2666
Views
0
Helpful
3
Replies

Switches: TACACS or RADIUS?

Carlo Zaina
Level 1
Level 1

Hi

So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only.

For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both.

Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?

Supposing i am right, i was then considering the following options:

- configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?

OR

- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.

A considerable administrative overhead, in other words.

I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.

The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission  (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).

Thank you anticipately

C

1 Accepted Solution

Accepted Solutions

Federico Lovison
Cisco Employee
Cisco Employee

Hi Carlo,

you can keep on using TACACS+ for the device management and RADIUS for 802.1x, with no need for an additional AAA servers nor additional IP addresses on each managed device.

ACS 4.2 allows you to define two AAA Clients with the same IP address, one for TACACS+ and one for RADIUS, however, the hostname has to be unique.

Then, on the switch you will define the same ACS server as radius-server and tacacs-server host, configuring the "aaa" commands for console login and authorization pointing to the TACACS+ server and the dot1x part pointing to the RADIUS server.

What you're looking for is feasible and it's normal indeed to use TACACS+ for device management and RADIUS for 802.1x.

I hope this answers your questions.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

View solution in original post

3 Replies 3

Federico Lovison
Cisco Employee
Cisco Employee

Hi Carlo,

you can keep on using TACACS+ for the device management and RADIUS for 802.1x, with no need for an additional AAA servers nor additional IP addresses on each managed device.

ACS 4.2 allows you to define two AAA Clients with the same IP address, one for TACACS+ and one for RADIUS, however, the hostname has to be unique.

Then, on the switch you will define the same ACS server as radius-server and tacacs-server host, configuring the "aaa" commands for console login and authorization pointing to the TACACS+ server and the dot1x part pointing to the RADIUS server.

What you're looking for is feasible and it's normal indeed to use TACACS+ for device management and RADIUS for 802.1x.

I hope this answers your questions.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

..just a clarification about the following statement:

"ACS 4.2 allows you to define two AAA Clients with the same IP address,  one for TACACS+ and one for RADIUS, however, the hostname has to be  unique."

I mean that the hostname has to be unique on the ACS config, so the TACACS+ and RADIUS entries need to have different names (even if they're related to the same device/IP address).

Thank you Federico for your answer.

I figured this some day later, tried and it worked!

The same device is defined now with 2 different names in the ACS DB and it works with both TACACS and RADIUS.

C