Tacacs+ using both a local database and external db(active directory)

David James · ‎02-23-2014

Is it possible to configure a Cisco device(aka, switch) to use a tacacs server that has both a local db and an external db? I currently have a test switch that is configured to use TACACS authentication where that authentication is an active directory db. Because our environment utilizes vendors to co-manage some of our devices I was wanting to create local accounts on the TACACS server for them. Both groups, local and AD would have the same privlieges while both be authenticated against two different databases.

ty.masse · ‎02-23-2014

I have this same issue. Is this possible?

BrianKPoole · ‎02-10-2015

We run ACS v5.5, and we do this. I have several users that exist only in the Internal Identity Store, and the server is also set up to authenticate against AD.

I created an Identity Store Sequence that looks first at AD, then at the Internal Identity Store when performing authentications. I then have rules in place in my access policies that allow (for example) full access to members of the AD group called "Admins" and the local group called "AdminUsers".

Hope this helps!

chepeake78 · ‎10-27-2015

Hi Brian

Can you elaborate on the rules you have in place? Even some screenshots with sensitive information blocked out? I can see how to create the Identity Store Sequence but I'm not sure how to implement this in the access policies and haven't been able to find much (any) information on implementing this.

Thanks in advance.