I have the requirement to allow the customer to login to the router, and to use their own AD for authentication, whilst maintaining our own TACACS access for management. Obviously, I could do an integration between our TACACS server and the customer's AD, but this involves blowing lots of holes in our firewalls and much grief all round.
So what I would like to do is:
For default login (say SMITHJ) authenticate via our TACACS+
For customer login (say email@example.com) authenticate via customer owned RADIUS onto the customer's AD.
At a push, I could install a TACACS+ server in the customer domain to proxy onto their AD if it is not possible to do this with RADIUS.
Is this possible? If so a config would be much appreciated.