[c-nsp] running radius/tacacs+ on the same router

Phil Bedard philxor at gmail.com
Fri Jun 15 20:09:01 EDT 2007


I once had a similar setup with a device on the network that could  
only do radius when tacacs+ was used on all the other gear.   The  
solution was on the backend where tacacs+ was managed via a client  
interface and updated the radius database when changes were made.    
We did try having the radius server as a fallback for the Cisco  
devices in case of tacacs+ failure and that did work, but took it off  
in order to have command authorization and logging.  Is command level  
authorization a big deal?  If not then I would just configure radius  
on the Cisco instead of complicating things running both on the same  
network.

Phil


On Jun 15, 2007, at 12:44 AM, virendra rode // wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone configured tacacs+ and radius to be used on the same router
> for same types of access modes? If so, like to hear your thoughts.  
> This
> setup is due to a multivendor environment that my client is running.
>
> some basic questions,
>
> a. would a router authenticate tacacs+ and radius simultaneously
> for single user for same types of access modes? For example,
>
> aaa new-model
> aaa authentication login default group tacacs+|radius line
> aaa authorization exec default group tacacs+|radius if-authenticated
> aaa authorization commands 7 group tacacs+|radius if-authenticated
> aaa authorization console
> tacacs-server host 192.168.0.101
> tacacs-server key debian
> radius-server host 172.68.0.101
> radius-server key debian
>
>
> b. what happens (for sake of this example) if user is not known to the
> tacacs+ (user got deleted, unreachable, timeout, etc), would the  
> request
> be passed onto the radius server?
>
>
> Any insight will be appreciated.
>
>
>
> regards,
> /virendra
>
>
>
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGchkWpbZvCIJx1bcRAha4AJ9H3+3mcvunqBPVccGdDqooTLfeEgCghLAA
> lnJE6AmadmCtR2UDkaQGNSE=
> =zno4
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Phil Bedard
philxor at gmail.com





More information about the cisco-nsp mailing list