ashraf2002
asked on
Authentication using Cisco ACS Server
Hi,
Is it possible to have a single user name for Radius authentication and also for Tacacs authentication in Cisco ACS.
Here the scenario is that I need to configure some cisco network devices and other company devices to ACS for authentication. The users can be in different groups like Admins, Medium Level Privileged, Low privileged users etc..
Please advise me how to configure this…
Is it possible to have a single user name for Radius authentication and also for Tacacs authentication in Cisco ACS.
Here the scenario is that I need to configure some cisco network devices and other company devices to ACS for authentication. The users can be in different groups like Admins, Medium Level Privileged, Low privileged users etc..
Please advise me how to configure this…
ASKER
Yes.. I can configure as you said.. but i need to configure a user/ group for accessing Radius protocol and also TACACS+. In the scenario i mentioned above has more than one vendor devices, for cisco devices i need to use TACACS+ protocol and for others Radius. Is it possible to do like this for a single username or user group authenticate against both the protocol..?
Just say... my username is "xyz" i need to authenticate to all the devices with this username. for cisco devices i could authenticate using TACACS+ and for others Radius.
*With Cisco i need to use AAA with TACACS+.
Just say... my username is "xyz" i need to authenticate to all the devices with this username. for cisco devices i could authenticate using TACACS+ and for others Radius.
*With Cisco i need to use AAA with TACACS+.
aaa authentication login local radius tacacs
This will check the user in the first. second and then the third authentication method specified. Dont' know if you can authenticate against 'ALL' authentication methods (why?) - but depending on the interface/MAC/IP specified this can be tweaked further:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml#configure-server
This will check the user in the first. second and then the third authentication method specified. Dont' know if you can authenticate against 'ALL' authentication methods (why?) - but depending on the interface/MAC/IP specified this can be tweaked further:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml#configure-server
Hello,
I don't like to correct people but daemon777 you cannot point authentication to 2 protocols.
I think that what you want is to have an user on the ACS that will be able to authenticate to Cisco devices using tacacs and to use radius for devices like hp, juniper, etc.
By default all users are capable to handle both authentications. The only difference will be the attributes that are configured for each attribute.
If it is one single user you can configure the priv 15 for the tacacs devices and whatever attribute you need for 3rd devices under the radius configuration.
I can give you some examples but I would need to know if the ACS is 5x or 4.x. In either version this can be possible.
Hope this is what you need.
Erick Delgado
AAA/ACS specialist.
I don't like to correct people but daemon777 you cannot point authentication to 2 protocols.
I think that what you want is to have an user on the ACS that will be able to authenticate to Cisco devices using tacacs and to use radius for devices like hp, juniper, etc.
By default all users are capable to handle both authentications. The only difference will be the attributes that are configured for each attribute.
If it is one single user you can configure the priv 15 for the tacacs devices and whatever attribute you need for 3rd devices under the radius configuration.
I can give you some examples but I would need to know if the ACS is 5x or 4.x. In either version this can be possible.
Hope this is what you need.
Erick Delgado
AAA/ACS specialist.
ASKER
Hi Erick Delgado...
This was exactly i need.. the ACS is 5.2 ver.
i need a single user/group could access these devices.
This was exactly i need.. the ACS is 5.2 ver.
i need a single user/group could access these devices.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://crazyvlan.blogspot.com/2008/02/vpn-and-radius-with-cisco-asa-and.html