[c-nsp] running radius/tacacs+ on the same router

virendra rode // virendra.rode at gmail.com
Fri Jun 15 16:40:56 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

comments in-line:


Oliver Boehmer (oboehmer) wrote:
> virendra rode // <> wrote on Friday, June 15, 2007 6:44 AM:
> 
> 
>> Has anyone configured tacacs+ and radius to be used on the same router
>> for same types of access modes? If so, like to hear your thoughts.
>> This setup is due to a multivendor environment that my client is
>> running. 
>>
>> some basic questions,
>>
>> a. would a router authenticate tacacs+ and radius simultaneously
>> for single user for same types of access modes? For example,
>>
>> aaa new-model
>> aaa authentication login default group tacacs+|radius line
> 
> If you expressed this as "aaa authentication login default group tacacs+
> group radius line" this would technically work.
> 
>> aaa authorization exec default group tacacs+|radius if-authenticated
> 
> As Radius doesn't allow for separate authorization request, this would
> only work if the authentication was performed using the same protocol as
> IOS uses the authorization AVPs from the authentication response
> (Access-Accept). So you need to give the same order of the methods, but
> I would not use this (see also further down).
- --------------------------
Isn't authentication and authorization combined within radius?

> 
>> aaa authorization commands 7 group tacacs+|radius if-authenticated
> 
> This is not possible with Radius.

> 
>> b. what happens (for sake of this example) if user is not known to the
>> tacacs+ (user got deleted, unreachable, timeout, etc), would the
>> request be passed onto the radius server?
> 
> Except for the "local" AAA method, IOS only fails over to subsequent
> method lists when the server fails (i.e. timeout/no response). If the
> server rejects the authentication (or authorization), IOS doesn't fail
> over.
- ----------------
makes sense.

> 
> Bearing this in mind, I don't think using T+ and Radius for the same
> auth types is a good idea, you'd essentially need to keep the two
> databases in sync
- ----------------------
What If ACS was running in primary and secondary mode running tacacs+
and radius?


If there an operational practice or bcp template for the above scenario
that I can look at?


regards,
/virendra


> 
> 	oli
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGcvlYpbZvCIJx1bcRAqdSAJ9ZpNZ3ccYbM4nURpUEiXMXxBxzDgCeKyun
bnPyxKR0B1Yn4+1hAExdcxg=
=EbK8
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list