[c-nsp] Re: TACACS+ and RADIUS
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Jan 17 12:23:57 EST 2005
Hi Michael,
Michael Estridge <> wrote on Monday, January 17, 2005 4:03 PM:
> I currently have TACACS+ setup and working in a test environment. I
> am able to have certain users authenticate to a switch based on the
> local config file on the TACACS+ server. Those users are limited to
> certain commands and all is working fine. I have been asked to try
> and make it work so that the TACACS+ server will proxy the
> authentication requests to an existing radius server. After the
> authentication has been successful I still need each user and/or
> groups commands limited based on the TACACS+ server config file. Has
> anyone done anything like this? Is it possible? Thanks for any input.
Well, everything is possible if you hack your Tacacs+ server, but in
general both protocols are incompatible in this regard: While T+ uses
distinct Authentication and Authorization requests, Radius is not able
to distinguish these two, it just knows about Authentication and
Accounting. This is why Authen&Author attributes are put together in an
Access-Accept packet..
oli
More information about the cisco-nsp
mailing list