Solved: TACACS + Radius authentication

williamehmke1 · ‎05-25-2021

I was wondering if anyone has successfully configured both TACACS and Radius on Cisco devices for aaa. We are looking to move to TACACS and have it reside on our ISE PSN's but I want to still keep radius as a backup as it will continue to reside on VM's outside of the ISE PSN's.

Any input is greatly appreciated

lrojaslo · ‎05-25-2021

You can have up to 3 different methods for login for example:

aaa authentication login default group tacacs(first method) group radius (fallback) local (2nd fallback)

Fallback to next method will occur only if there is no communication with previous method.

View solution in original post

Marvin Rhoads · ‎05-25-2021

I haven't had the occassion to do it but you should be able to put method lists for both in sequence for your aaa authentication commands. The device will always try the servers first in the list and only use the second method if all servers time out from the first method.

williamehmke1 · ‎05-25-2021

ok Thank you. I will try find some examples to reference and then give it a try

lrojaslo · ‎05-25-2021

You can have up to 3 different methods for login for example:

aaa authentication login default group tacacs(first method) group radius (fallback) local (2nd fallback)

Fallback to next method will occur only if there is no communication with previous method.