Combining both TACACS+ and RADIUS

Discussion in 'Cisco' started by psychogenic, May 8, 2006.

  1. psychogenic

    psychogenic Guest

    Hey all,

    I'm trying to get dot1x to authenticate using RADIUS through SecureACS
    but I also want TACACS+ command authoirzation. Theoretically, I can
    create a "virtual" interface and assign all outgoing tacacs packets to
    there so you can have that same switch be added to ACS twice but this
    doesn't seem to work (though from the config samples it should).

    This is what I have down:

    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication login not_auth none
    aaa authentication enable default group tacacs+ enable
    aaa authentication dot1x default group radius
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ none
    aaa accounting auth-proxy default start-stop group tacacs+

    interface Loopback0
    ip address 192.168.2.2 255.255.255.0

    ip tacacs source-interface Loopback0

    Both tacacs+ and radius servers are the same IP. Is there any other
    command I am missing?


    Thanks.
     
    psychogenic, May 8, 2006
    #1
    1. Advertising

  2. "psychogenic" <> wrote in message
    news:...
    > Hey all,
    >
    > I'm trying to get dot1x to authenticate using RADIUS through SecureACS
    > but I also want TACACS+ command authoirzation. Theoretically, I can
    > create a "virtual" interface and assign all outgoing tacacs packets to
    > there so you can have that same switch be added to ACS twice but this
    > doesn't seem to work (though from the config samples it should).
    >
    > This is what I have down:
    >
    > aaa new-model
    > aaa authentication login default group tacacs+ local
    > aaa authentication login not_auth none
    > aaa authentication enable default group tacacs+ enable
    > aaa authentication dot1x default group radius
    > aaa authorization config-commands
    > aaa authorization exec default group tacacs+ local
    > aaa authorization commands 15 default group tacacs+ none
    > aaa accounting auth-proxy default start-stop group tacacs+
    >
    > interface Loopback0
    > ip address 192.168.2.2 255.255.255.0
    >
    > ip tacacs source-interface Loopback0
    >
    > Both tacacs+ and radius servers are the same IP. Is there any other
    > command I am missing?
    >
    >
    > Thanks.


    Where do you have Tacacs+ and Radius servers definitions?

    What's not working exactly?

    Regards Slawek
     
    Slawomir Furmanek, May 9, 2006
    #2
    1. Advertising

  3. psychogenic

    psychogenic Guest

    Both radius and tacacs were defined as:

    tacacs-server host 192.168.x.x
    tacacs-server directed-request
    tacacs-server key 7 blabblahblah
    radius-server host 192.168.x.x. auth-port 1645 acct-port 1646
    radius-server source-ports 1645-1646
    radius-server key 7 blahblahblah

    Both tacacs and radius are on the same server (which host secureACS).
    On the SecureACS side I have it set where the ip of the switch is
    configured to accept radius authentication and the loopback0 interface
    i created on that same switch to accept tacacs authentication. When I
    try to login with a network account it gives me authentication failed.
    :(

    Erasing all of that and having the ip of the switch to accept either/or
    tacacs / radius authentication works fine.

    This is stuff I pulled form this guide here:

    http://book.itzero.com/read/cisco/0...04.INTERNAL_html/1587051249/ch07lev1sec4.html

    at the very bottom.

    Slawomir Furmanek wrote:
    > "psychogenic" <> wrote in message
    > news:...
    > > Hey all,
    > >
    > > I'm trying to get dot1x to authenticate using RADIUS through SecureACS
    > > but I also want TACACS+ command authoirzation. Theoretically, I can
    > > create a "virtual" interface and assign all outgoing tacacs packets to
    > > there so you can have that same switch be added to ACS twice but this
    > > doesn't seem to work (though from the config samples it should).
    > >
    > > This is what I have down:
    > >
    > > aaa new-model
    > > aaa authentication login default group tacacs+ local
    > > aaa authentication login not_auth none
    > > aaa authentication enable default group tacacs+ enable
    > > aaa authentication dot1x default group radius
    > > aaa authorization config-commands
    > > aaa authorization exec default group tacacs+ local
    > > aaa authorization commands 15 default group tacacs+ none
    > > aaa accounting auth-proxy default start-stop group tacacs+
    > >
    > > interface Loopback0
    > > ip address 192.168.2.2 255.255.255.0
    > >
    > > ip tacacs source-interface Loopback0
    > >
    > > Both tacacs+ and radius servers are the same IP. Is there any other
    > > command I am missing?
    > >
    > >
    > > Thanks.

    >
    > Where do you have Tacacs+ and Radius servers definitions?
    >
    > What's not working exactly?
    >
    > Regards Slawek
     
    psychogenic, May 10, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Atif Sajid

    migrating from TACACS+ to RADIUS

    Atif Sajid, Jun 4, 2004, in forum: Cisco
    Replies:
    0
    Views:
    694
    Atif Sajid
    Jun 4, 2004
  2. Frank Fegert
    Replies:
    2
    Views:
    673
    Frank Fegert
    Aug 5, 2004
  3. psychogenic
    Replies:
    4
    Views:
    4,082
    psychogenic
    Apr 27, 2006
  4. AM
    Replies:
    0
    Views:
    573
  5. hh_forum
    Replies:
    0
    Views:
    1,271
    hh_forum
    Jul 7, 2006
Loading...

Share This Page