Discussion in 'Cisco' started by psychogenic, Apr 25, 2006.

    Has anyone succesfully implemented secure acs using both radius and
    tacacs+ without the need to have two differernt servers? I'm planning
    to rollout dot1x (which requires authentication to be done via radius)
    but I also want command authorization from tacacs+ which I can't seem
    to emulate with radius.

    psychogenic, Apr 25, 2006
  2. It may not be exactly what you are looking for, but you can do
    privilege level authorization with RADIUS.

    aaa new-model
    aaa authentication login myradius group radius local
    aaa authorization exec my-authradius group radius if-authenticated
    radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard

    line vty 0 4
    password 7 23459287234
    authorization exec my-authradius
    login authentication myradius

    In your radius config, define return list attributes that sets a user's
    privilege level:

    Service-Type: NAS-Prompt
    Cisco-AVPAIR: shell:priv-lvl=15

    If a user logs in via telnet, they will automatically be put into
    privilege level 15 (enable mode). You can set the priv level for
    individual users or groups of users. Then you can tune the privilege
    level required for certain commands using the privilege command.
    Mark Williams, Apr 25, 2006
    Hi Mark,

    Thanks. Yes, I saw that with radius. However, I didn't know you can
    fine tune it. Is this done on the local switch itself?
    psychogenic, Apr 25, 2006
  4. Yes. You can fine-tune what priveledge level is required for which
    commands on a per-switch basis using the privilege command in global
    config mode. For example, if you wanted to require privilege level 7
    for the command who, use the following

    privilege exec level 7 who
    Mark Williams, Apr 26, 2006
    Rats. That would suck though if I had to do this for 50 switches? :)
    psychogenic, Apr 27, 2006
