Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1319
Views
0
Helpful
2
Replies

Use EAP-FAST with ACS 5.2

Go to solution
andreas.leuthold
Level 1
Level 1

‎01-26-2011 01:22 PM - edited ‎03-10-2019 05:45 PM

Hello everybody,

I use Active Directory as external identity store for ACS. In ACS 5.2 Web interface navigating to Access Policies > Access Services and going to the Allowed Protocols tab, the only Protocol that works is PAP/ASCII. In the documentation of ACS it is described as the least secure authentication method for ACS.

I would like to use EAP-FAST. What command do i have to enter on the aaa client to work with? The Router has IOS version 12.4.

Here is its aaa config:

aaa new-model
!
!
aaa group server tacacs+ ACSTEST1
server 1.1.1.1

server 2.2.2.2

!
aaa authentication banner ^CCCCCC*** TACACS+ Server not available, use local defC
aaa authentication fail-message ^C
aaa authentication login default group tacacs+
aaa authentication login VTY group tacacs+ local
aaa authentication login CONSOLE group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common

I did not find any Help in the Cisco IOS Security Command Reference nor in the Internet.

Thank you for your help.

Kind regards, Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎01-28-2011 01:48 AM

Hi,

TACACS+ authentication only supports PAP, so it is not possible to use EAP-FAST.

Please keep in mind that EAP methods are used with RADIUS, not with TACACS+.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎01-28-2011 01:48 AM

Hi,

TACACS+ authentication only supports PAP, so it is not possible to use EAP-FAST.

Please keep in mind that EAP methods are used with RADIUS, not with TACACS+.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
andreas.leuthold
Level 1
Level 1
In response to Tiago Antunes

‎01-28-2011 02:22 AM

Hi Tiago,

Thank you for your answer!

MTFBWY

0 Helpful
Customers Also Viewed These Support Documents