Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
3
Replies

Use Tacacs+ for Admin auth & Radius for user Auth?

m-carey
Level 1
Level 1

‎04-21-2005 05:21 AM - edited ‎07-04-2021 10:42 AM

Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?

If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

Labels:
0 Helpful
3 Replies 3

a-vazquez
Level 6
Level 6

‎04-27-2005 04:59 PM

This document does not talk about this option,

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i1234ja/i1234sc/s34radi.htm

So guess this scenario is not supported.

0 Helpful

nbooker
Level 1
Level 1

‎05-05-2005 02:14 AM

I have my users authenticate via Radius and telnet/console access authenticated against the same ACS server via Tacacs. I used the command line to configure it though:

aaa authentication login default group tacacs+ local

aaa authentication eap-methods group radius

aaa authentication enable default group tacacs+ enable

tacacs-server host 1.2.3.4

tacacs-server key whatever

radius-server host 1.2.3.4 auth-port 1645 acct-port 1646

radius-server key whatever

0 Helpful

petersage
Level 1
Level 1

‎05-05-2005 02:33 AM

dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.

eg:

aaa group server radius rad-group

server x.x.x.x auth-port xxxx acct-port xxxx

aaa group server tacacs+ admin-access

server x.x.x.x

aaa authentication login eap-method group rad-group

aaa authentication login auth-admin-access group admin-access local

aaa authorization exec default group admin-access local

now under the ssid part of the config have:

dot11 ssid yyyyyy

authentication open (or whatever method you use) eap eap-method

under console/vty etc:

login authentication auth-admin-access

you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card