02-23-2014 06:56 AM - edited 03-10-2019 09:26 PM
Is it possible to configure a Cisco device(aka, switch) to use a tacacs server that has both a local db and an external db? I currently have a test switch that is configured to use TACACS authentication where that authentication is an active directory db. Because our environment utilizes vendors to co-manage some of our devices I was wanting to create local accounts on the TACACS server for them. Both groups, local and AD would have the same privlieges while both be authenticated against two different databases.
02-23-2014 10:09 AM
I have this same issue. Is this possible?
02-10-2015 11:42 AM
We run ACS v5.5, and we do this. I have several users that exist only in the Internal Identity Store, and the server is also set up to authenticate against AD.
I created an Identity Store Sequence that looks first at AD, then at the Internal Identity Store when performing authentications. I then have rules in place in my access policies that allow (for example) full access to members of the AD group called "Admins" and the local group called "AdminUsers".
Hope this helps!
10-27-2015 08:56 PM
Hi Brian
Can you elaborate on the rules you have in place? Even some screenshots with sensitive information blocked out? I can see how to create the Identity Store Sequence but I'm not sure how to implement this in the access policies and haven't been able to find much (any) information on implementing this.
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide