Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Combining both TACACS+ and RADIUS (http://www.velocityreviews.com/forums/t259748-combining-both-tacacs-and-radius.html)

psychogenic 05-08-2006 08:31 PM

Combining both TACACS+ and RADIUS
 
Hey all,

I'm trying to get dot1x to authenticate using RADIUS through SecureACS
but I also want TACACS+ command authoirzation. Theoretically, I can
create a "virtual" interface and assign all outgoing tacacs packets to
there so you can have that same switch be added to ACS twice but this
doesn't seem to work (though from the config samples it should).

This is what I have down:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login not_auth none
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa accounting auth-proxy default start-stop group tacacs+

interface Loopback0
ip address 192.168.2.2 255.255.255.0

ip tacacs source-interface Loopback0

Both tacacs+ and radius servers are the same IP. Is there any other
command I am missing?


Thanks.


Slawomir Furmanek 05-09-2006 07:14 PM

Re: Combining both TACACS+ and RADIUS
 

"psychogenic" <angrylife@gmail.com> wrote in message
news:1147120272.839806.301610@v46g2000cwv.googlegr oups.com...
> Hey all,
>
> I'm trying to get dot1x to authenticate using RADIUS through SecureACS
> but I also want TACACS+ command authoirzation. Theoretically, I can
> create a "virtual" interface and assign all outgoing tacacs packets to
> there so you can have that same switch be added to ACS twice but this
> doesn't seem to work (though from the config samples it should).
>
> This is what I have down:
>
> aaa new-model
> aaa authentication login default group tacacs+ local
> aaa authentication login not_auth none
> aaa authentication enable default group tacacs+ enable
> aaa authentication dot1x default group radius
> aaa authorization config-commands
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 15 default group tacacs+ none
> aaa accounting auth-proxy default start-stop group tacacs+
>
> interface Loopback0
> ip address 192.168.2.2 255.255.255.0
>
> ip tacacs source-interface Loopback0
>
> Both tacacs+ and radius servers are the same IP. Is there any other
> command I am missing?
>
>
> Thanks.


Where do you have Tacacs+ and Radius servers definitions?

What's not working exactly?

Regards Slawek



psychogenic 05-10-2006 02:15 PM

Re: Combining both TACACS+ and RADIUS
 
Both radius and tacacs were defined as:

tacacs-server host 192.168.x.x
tacacs-server directed-request
tacacs-server key 7 blabblahblah
radius-server host 192.168.x.x. auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 blahblahblah

Both tacacs and radius are on the same server (which host secureACS).
On the SecureACS side I have it set where the ip of the switch is
configured to accept radius authentication and the loopback0 interface
i created on that same switch to accept tacacs authentication. When I
try to login with a network account it gives me authentication failed.
:(

Erasing all of that and having the ip of the switch to accept either/or
tacacs / radius authentication works fine.

This is stuff I pulled form this guide here:

http://book.itzero.com/read/cisco/05...7lev1sec4.html

at the very bottom.

Slawomir Furmanek wrote:
> "psychogenic" <angrylife@gmail.com> wrote in message
> news:1147120272.839806.301610@v46g2000cwv.googlegr oups.com...
> > Hey all,
> >
> > I'm trying to get dot1x to authenticate using RADIUS through SecureACS
> > but I also want TACACS+ command authoirzation. Theoretically, I can
> > create a "virtual" interface and assign all outgoing tacacs packets to
> > there so you can have that same switch be added to ACS twice but this
> > doesn't seem to work (though from the config samples it should).
> >
> > This is what I have down:
> >
> > aaa new-model
> > aaa authentication login default group tacacs+ local
> > aaa authentication login not_auth none
> > aaa authentication enable default group tacacs+ enable
> > aaa authentication dot1x default group radius
> > aaa authorization config-commands
> > aaa authorization exec default group tacacs+ local
> > aaa authorization commands 15 default group tacacs+ none
> > aaa accounting auth-proxy default start-stop group tacacs+
> >
> > interface Loopback0
> > ip address 192.168.2.2 255.255.255.0
> >
> > ip tacacs source-interface Loopback0
> >
> > Both tacacs+ and radius servers are the same IP. Is there any other
> > command I am missing?
> >
> >
> > Thanks.

>
> Where do you have Tacacs+ and Radius servers definitions?
>
> What's not working exactly?
>
> Regards Slawek




All times are GMT. The time now is 01:57 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.