|
Combining both TACACS+ and RADIUS
Hey all,
I'm trying to get dot1x to authenticate using RADIUS through SecureACS but I also want TACACS+ command authoirzation. Theoretically, I can create a "virtual" interface and assign all outgoing tacacs packets to there so you can have that same switch be added to ACS twice but this doesn't seem to work (though from the config samples it should). This is what I have down: aaa new-model aaa authentication login default group tacacs+ local aaa authentication login not_auth none aaa authentication enable default group tacacs+ enable aaa authentication dot1x default group radius aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization commands 15 default group tacacs+ none aaa accounting auth-proxy default start-stop group tacacs+ interface Loopback0 ip address 192.168.2.2 255.255.255.0 ip tacacs source-interface Loopback0 Both tacacs+ and radius servers are the same IP. Is there any other command I am missing? Thanks. |
Re: Combining both TACACS+ and RADIUS
"psychogenic" <angrylife@gmail.com> wrote in message news:1147120272.839806.301610@v46g2000cwv.googlegr oups.com... > Hey all, > > I'm trying to get dot1x to authenticate using RADIUS through SecureACS > but I also want TACACS+ command authoirzation. Theoretically, I can > create a "virtual" interface and assign all outgoing tacacs packets to > there so you can have that same switch be added to ACS twice but this > doesn't seem to work (though from the config samples it should). > > This is what I have down: > > aaa new-model > aaa authentication login default group tacacs+ local > aaa authentication login not_auth none > aaa authentication enable default group tacacs+ enable > aaa authentication dot1x default group radius > aaa authorization config-commands > aaa authorization exec default group tacacs+ local > aaa authorization commands 15 default group tacacs+ none > aaa accounting auth-proxy default start-stop group tacacs+ > > interface Loopback0 > ip address 192.168.2.2 255.255.255.0 > > ip tacacs source-interface Loopback0 > > Both tacacs+ and radius servers are the same IP. Is there any other > command I am missing? > > > Thanks. Where do you have Tacacs+ and Radius servers definitions? What's not working exactly? Regards Slawek |
Re: Combining both TACACS+ and RADIUS
Both radius and tacacs were defined as:
tacacs-server host 192.168.x.x tacacs-server directed-request tacacs-server key 7 blabblahblah radius-server host 192.168.x.x. auth-port 1645 acct-port 1646 radius-server source-ports 1645-1646 radius-server key 7 blahblahblah Both tacacs and radius are on the same server (which host secureACS). On the SecureACS side I have it set where the ip of the switch is configured to accept radius authentication and the loopback0 interface i created on that same switch to accept tacacs authentication. When I try to login with a network account it gives me authentication failed. :( Erasing all of that and having the ip of the switch to accept either/or tacacs / radius authentication works fine. This is stuff I pulled form this guide here: http://book.itzero.com/read/cisco/05...7lev1sec4.html at the very bottom. Slawomir Furmanek wrote: > "psychogenic" <angrylife@gmail.com> wrote in message > news:1147120272.839806.301610@v46g2000cwv.googlegr oups.com... > > Hey all, > > > > I'm trying to get dot1x to authenticate using RADIUS through SecureACS > > but I also want TACACS+ command authoirzation. Theoretically, I can > > create a "virtual" interface and assign all outgoing tacacs packets to > > there so you can have that same switch be added to ACS twice but this > > doesn't seem to work (though from the config samples it should). > > > > This is what I have down: > > > > aaa new-model > > aaa authentication login default group tacacs+ local > > aaa authentication login not_auth none > > aaa authentication enable default group tacacs+ enable > > aaa authentication dot1x default group radius > > aaa authorization config-commands > > aaa authorization exec default group tacacs+ local > > aaa authorization commands 15 default group tacacs+ none > > aaa accounting auth-proxy default start-stop group tacacs+ > > > > interface Loopback0 > > ip address 192.168.2.2 255.255.255.0 > > > > ip tacacs source-interface Loopback0 > > > > Both tacacs+ and radius servers are the same IP. Is there any other > > command I am missing? > > > > > > Thanks. > > Where do you have Tacacs+ and Radius servers definitions? > > What's not working exactly? > > Regards Slawek |
| All times are GMT. The time now is 11:30 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.