Link to home
Start Free TrialLog in
Avatar of ashraf2002

asked on

Authentication using Cisco ACS Server

Is it possible to have a single user name for Radius authentication and also for Tacacs authentication in Cisco ACS.
Here the scenario is that I need to configure some cisco network devices and other company devices to ACS for authentication. The users can be in different groups like Admins, Medium Level Privileged, Low privileged users etc..
Please advise me how to configure this…
Avatar of demon777
Flag of Australia image

You could set up AAA and authenticate against Radius AD/Windows box ? Attributes for radius can be configured from within the Windows box. More information here:
Avatar of ashraf2002


Yes.. I can configure as you said.. but i need to configure a user/ group for accessing Radius protocol and also TACACS+. In the scenario i mentioned above has more than one vendor devices, for cisco devices i need to use TACACS+ protocol and for others Radius. Is it possible to do like this for a single username or user group authenticate against both the protocol..?

Just say... my username is "xyz"  i need to authenticate to all the devices with this username. for cisco devices i could authenticate using TACACS+ and for others Radius.

*With Cisco i need to use AAA with TACACS+.
aaa authentication login local radius tacacs

This will check the user in the first. second and then the third authentication method specified. Dont' know if you can authenticate against 'ALL' authentication methods (why?) - but depending on the interface/MAC/IP specified this can be tweaked further:

I don't like to correct people but daemon777 you cannot point authentication to 2 protocols.

I think that what you want is to have an user on the ACS that will be able to authenticate to Cisco devices using tacacs and to use radius for devices like hp, juniper, etc.

By default all users are capable to handle both authentications. The only difference will be the attributes that are configured for each attribute.

If it is one single user you can configure the priv 15 for the tacacs devices and whatever attribute you need for 3rd devices under the radius configuration.

I can give you some examples but I would need to know if the ACS is 5x or 4.x. In either version this can be possible.

Hope this is what you need.

Erick Delgado
AAA/ACS specialist.
Hi Erick Delgado...
This was exactly i need.. the ACS is 5.2 ver.

i need a single user/group could access these devices.
Avatar of erdelgad
Flag of Costa Rica image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial