Authentication using Cisco ACS Server

ashraf2002
ashraf2002 used Ask the Experts™
on
Hi,
Is it possible to have a single user name for Radius authentication and also for Tacacs authentication in Cisco ACS.
Here the scenario is that I need to configure some cisco network devices and other company devices to ACS for authentication. The users can be in different groups like Admins, Medium Level Privileged, Low privileged users etc..
Please advise me how to configure this…
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You could set up AAA and authenticate against Radius AD/Windows box ? Attributes for radius can be configured from within the Windows box. More information here:
http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html

Author

Commented:
Yes.. I can configure as you said.. but i need to configure a user/ group for accessing Radius protocol and also TACACS+. In the scenario i mentioned above has more than one vendor devices, for cisco devices i need to use TACACS+ protocol and for others Radius. Is it possible to do like this for a single username or user group authenticate against both the protocol..?

Just say... my username is "xyz"  i need to authenticate to all the devices with this username. for cisco devices i could authenticate using TACACS+ and for others Radius.

*With Cisco i need to use AAA with TACACS+.

Commented:
aaa authentication login local radius tacacs

This will check the user in the first. second and then the third authentication method specified. Dont' know if you can authenticate against 'ALL' authentication methods (why?) - but depending on the interface/MAC/IP specified this can be tweaked further:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml#configure-server
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
Hello,

I don't like to correct people but daemon777 you cannot point authentication to 2 protocols.

I think that what you want is to have an user on the ACS that will be able to authenticate to Cisco devices using tacacs and to use radius for devices like hp, juniper, etc.

By default all users are capable to handle both authentications. The only difference will be the attributes that are configured for each attribute.

If it is one single user you can configure the priv 15 for the tacacs devices and whatever attribute you need for 3rd devices under the radius configuration.

I can give you some examples but I would need to know if the ACS is 5x or 4.x. In either version this can be possible.

Hope this is what you need.

Erick Delgado
AAA/ACS specialist.

Author

Commented:
Hi Erick Delgado...
This was exactly i need.. the ACS is 5.2 ver.

i need a single user/group could access these devices.
Commented:
Hello,

ACS 5.x is a policy based server.

The authentication will go throw the service selection rule by default it is one for radius (default network access) and another one for tacacs (default device admin)

In your specific situation you have to configure authorization policies on each access service.

Under default network access (for radius devices) you can configure the authorization policy like this.

Conditions AD or ACS group, device type(asuming that you are using NDG) and the result will be the authorization profile with the required attribute.

Under default device admin (for tacacs devices) you can configure the authorization policy like this.

Conditions AD or ACS group, device type and the result can be only a shell profile with privilege 15 access or also can be the shell profile together with the commad set if you are using shell profile.

If you are new in ACS 5.x I strongly suggest readin chapter 1 and 2 of the user guide that is understanding policy based server,

Explain the policies is hard to explain is I hope this makes sense to you.

Erick Delgado
ACS/AAA specialist

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial