09-27-2013 11:54 AM - edited 03-04-2019 09:10 PM
Hello Friends,
I know both the below command does the same AAA server reference. But i would like to know the order of Preference.
That is which one takes the priority? Radius-server command or Tacacs-Server command ?
radius-server host 192.168.1.1
tacacs-server host 192.168.1.2
Thanks in advance
SAIRAM
Solved! Go to Solution.
09-28-2013 01:54 AM
Hi Sairam,
there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.
example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):
Router(config)#aaa new-model
Router(config)#aaa authentication login RADTAC group radius group tacacs+
Router(config)#aaa authorization exec RADTAC group radius group tacacs+
Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.
Best regards,
Jan
09-28-2013 01:08 AM
Hi,
I'm not sure if I understand the question correctly.
The order of methods is configured in the aaa-commands, e.g. authentication login:
aaa authentication login RADIUSFIRST group radius group tacacs+
aaa authentication login TACACSFIRST group tacacs+ group radius
If you have several authentication-servers of the same type for different purposes, you can define server groups:
tacacs-server host 192.168.1.1
tacacs-server host 172.16.1.1
aaa group server tacacs+ DIALIN
server 192.168.1.1
aaa group server tacacs+ MGMT
server 172.16.1.1
aaa authentication login CONSOLE group MGMT local
aaa authentication ppp DIALIN local
line con 0
login authentication CONSOLE
Within a group (including the default groups) IOS searches for hosts in the order in which you specify them.
Cisco IOS Security Command Reference:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html
HTH
Rolf
09-28-2013 01:54 AM
Hi Sairam,
there is no default order of preference. The first authentication(authorization) method configured (first written in the command) takes precedence and if fails, the next one is validated.
example configuration of authentication/authorization ( 1st Radius is evaluated. If fails then Tacacs+ takes place ):
Router(config)#aaa new-model
Router(config)#aaa authentication login RADTAC group radius group tacacs+
Router(config)#aaa authorization exec RADTAC group radius group tacacs+
Rolf is right I just wanted to rephrase it so it would become clearer, hopefully.
Best regards,
Jan
09-30-2013 02:21 PM
Thank you Jan & Rolf. It helped me and thanks for your time
SAIRAM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide