[c-nsp] running radius/tacacs+ on the same router
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Jun 15 01:00:22 EDT 2007
virendra rode // <> wrote on Friday, June 15, 2007 6:44 AM:
> Has anyone configured tacacs+ and radius to be used on the same router
> for same types of access modes? If so, like to hear your thoughts.
> This setup is due to a multivendor environment that my client is
> running.
>
> some basic questions,
>
> a. would a router authenticate tacacs+ and radius simultaneously
> for single user for same types of access modes? For example,
>
> aaa new-model
> aaa authentication login default group tacacs+|radius line
If you expressed this as "aaa authentication login default group tacacs+
group radius line" this would technically work.
> aaa authorization exec default group tacacs+|radius if-authenticated
As Radius doesn't allow for separate authorization request, this would
only work if the authentication was performed using the same protocol as
IOS uses the authorization AVPs from the authentication response
(Access-Accept). So you need to give the same order of the methods, but
I would not use this (see also further down).
> aaa authorization commands 7 group tacacs+|radius if-authenticated
This is not possible with Radius.
> b. what happens (for sake of this example) if user is not known to the
> tacacs+ (user got deleted, unreachable, timeout, etc), would the
> request be passed onto the radius server?
Except for the "local" AAA method, IOS only fails over to subsequent
method lists when the server fails (i.e. timeout/no response). If the
server rejects the authentication (or authorization), IOS doesn't fail
over.
Bearing this in mind, I don't think using T+ and Radius for the same
auth types is a good idea, you'd essentially need to keep the two
databases in sync
oli
More information about the cisco-nsp
mailing list