cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1007
Views
0
Helpful
2
Replies
andreas.leuthold
Beginner

Use EAP-FAST with ACS 5.2

Hello everybody,

I use Active Directory as external identity store for ACS. In ACS 5.2 Web interface navigating to Access Policies > Access Services and going to the Allowed Protocols tab, the only Protocol that works is PAP/ASCII. In the documentation of ACS it is described as the least secure authentication method for ACS.

I would like to use EAP-FAST. What command do i have to enter on the aaa client to work with? The Router has IOS version 12.4.

Here is its aaa config:

aaa new-model
!
!
aaa group server tacacs+ ACSTEST1
server 1.1.1.1

server 2.2.2.2

!
aaa authentication banner ^CCCCCC*** TACACS+ Server not available, use local defC
aaa authentication fail-message ^C
aaa authentication login default group tacacs+
aaa authentication login VTY group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common

I did not find any Help in the Cisco IOS Security Command Reference nor in the Internet.

Thank you for your help.

Kind regards, Andy

1 ACCEPTED SOLUTION

Accepted Solutions
Tiago Antunes
Cisco Employee

Hi,

TACACS+ authentication only supports PAP, so it is not possible to use EAP-FAST.

Please keep in mind that EAP methods are used with RADIUS, not with TACACS+.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

2 REPLIES 2
Tiago Antunes
Cisco Employee

Hi,

TACACS+ authentication only supports PAP, so it is not possible to use EAP-FAST.

Please keep in mind that EAP methods are used with RADIUS, not with TACACS+.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

Hi Tiago,

Thank you for your answer!

MTFBWY

Content for Community-Ad