cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
1
Helpful
3
Replies

TACACS+ for Network User Authentication

scamarda
Cisco Employee
Cisco Employee

If I am not mistaken, with ACS you could use TACACS+ as the NAD protocol to authenticate network users.  Looking through the documentation and menus, I do not see that capability in ISE.  Is this configuration possible? Or is TACACS+ in ISE solely for Dev Admin?

1 Accepted Solution

Accepted Solutions

Just to clarify,

Endpoint authentication such as dot1x and MAB, CWA uses RADIUS as a backend protocol. These services generally refers to Network access and RADIUS is used in that context and ACS supports RADIUS. ACS support dot1x and MAB in that context.

Device administration can use TACACS+ or RADIUS. However TACACS+ is the prevalently used method since it support authentication, session authorization, command authorization and accounting. It offers greater flexibility for Device management and audit. RADIUS protocol can be used by Third party devices that do not support TACACS+. RADIUS authorization needs to send the attributes during authorization for that.

ISE has all the protocol support as that of ACS. ISE 2.0 started supporting TACACS+. If you are using ISE version prior to ISE 2.0 you many not see that. TACACS+ is a service that needs to be enabled in the UI under Administration --> Deployment for that ISE node. We have a workcenter for Device administration where you see relevant information.

-Krishnan

View solution in original post

3 Replies 3

ldanny
Cisco Employee
Cisco Employee

Hi,

ACS can use T+ for Network Access as long your in no need of EAP which is not supported , hence the use of Radius for NA.

To answer your question ISE uses Radius for Network Access and T+ for Device Management only.

-Danny

Just to clarify,

Endpoint authentication such as dot1x and MAB, CWA uses RADIUS as a backend protocol. These services generally refers to Network access and RADIUS is used in that context and ACS supports RADIUS. ACS support dot1x and MAB in that context.

Device administration can use TACACS+ or RADIUS. However TACACS+ is the prevalently used method since it support authentication, session authorization, command authorization and accounting. It offers greater flexibility for Device management and audit. RADIUS protocol can be used by Third party devices that do not support TACACS+. RADIUS authorization needs to send the attributes during authorization for that.

ISE has all the protocol support as that of ACS. ISE 2.0 started supporting TACACS+. If you are using ISE version prior to ISE 2.0 you many not see that. TACACS+ is a service that needs to be enabled in the UI under Administration --> Deployment for that ISE node. We have a workcenter for Device administration where you see relevant information.

-Krishnan

Jason Kunst
Cisco Employee
Cisco Employee

Can you please explain the use case

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: