TACACS and RADIUS authentication on same line

niesommer · ‎08-27-2008

Hi,

I'm need to authenticate users authenticating either on a TACACS+ or a RADIUS server on a Dial-up line. The configuration that I'm using is:

aaa authentication login TEST group radius group tacacs+ local-case

The problem that I'm encountering is that if a user has to authenticate with a TACACS server the radius server will return a "FAIL" message to the router as it does not find the user. This halts the authentication process and the TACACS server is never used.

This works when the authentication server is a single ACS server that can authenticate users via different external DBs. I have to remove this ACS server and "attack" the External DBs directly from the router.

Is there any way that I can configure the router (12.2) to "ignore" this fail message and continue with the second group servers?

Any help is greatly appreciated.

Thanks,

Niels

Premdeep Banga · ‎08-28-2008

unfortunately this is not how RADIUS/TACACS servers work or IOS works.

As you have command,

aaa authentication login TEST group radius group tacacs+ local-case

Till the point radius server is UP, if you provide a username that does not exist on the Radius server, it will be always send Access-Reject (FAIL). And IOS can only go for next method (in your case tacacs and then local), only when it gets an ERROR, which is only possible when radius server/services are unavailable.

Here is what I can recommend in your scenario. You can make use of Radius proxy, in that case users would be required to login in a different fashin, something like,

john@alfa , and we can proxy it to appropriate server based on keyword '@alfa'.

Before that, what is your Radius server and what is your Tacacs server at this moment ?

Regards,

Prem

Please rate if it helps!