«

Has anyone succesfully implemented secure acs using both radius and
tacacs+ without the need to have two differernt servers? I'm planning
to rollout dot1x (which requires authentication to be done via radius)
but I also want command authorization from tacacs+ which I can't seem
to emulate with radius.

Thanks.

It may not be exactly what you are looking for, but you can do
privilege level authorization with RADIUS.

aaa new-model
aaa authentication login myradius group radius local
aaa authorization exec my-authradius group radius if-authenticated
radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard

line vty 0 4
password 7 23459287234
authorization exec my-authradius
login authentication myradius

In your radius config, define return list attributes that sets a user's
privilege level:

Service-Type: NAS-Prompt
Cisco-AVPAIR: shellriv-lvl=15

If a user logs in via telnet, they will automatically be put into
privilege level 15 (enable mode). You can set the priv level for
individual users or groups of users. Then you can tune the privilege
level required for certain commands using the privilege command.

Hi Mark,

Thanks. Yes, I saw that with radius. However, I didn't know you can
fine tune it. Is this done on the local switch itself?

Mark Williams wrote:
> It may not be exactly what you are looking for, but you can do
> privilege level authorization with RADIUS.
>
> aaa new-model
> aaa authentication login myradius group radius local
> aaa authorization exec my-authradius group radius if-authenticated
> radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard
>
> line vty 0 4
> password 7 23459287234
> authorization exec my-authradius
> login authentication myradius
>
> In your radius config, define return list attributes that sets a user's
> privilege level:
>
> Service-Type: NAS-Prompt
> Cisco-AVPAIR: shellriv-lvl=15
>
> If a user logs in via telnet, they will automatically be put into
> privilege level 15 (enable mode). You can set the priv level for
> individual users or groups of users. Then you can tune the privilege
> level required for certain commands using the privilege command.

Yes. You can fine-tune what priveledge level is required for which
commands on a per-switch basis using the privilege command in global
config mode. For example, if you wanted to require privilege level 7
for the command who, use the following

privilege exec level 7 who

Mark Williams wrote:
> Yes. You can fine-tune what priveledge level is required for which
> commands on a per-switch basis using the privilege command in global
> config mode. For example, if you wanted to require privilege level 7
> for the command who, use the following
>
> privilege exec level 7 who

Rats. That would suck though if I had to do this for 50 switches?