[c-nsp] running radius/tacacs+ on the same router

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Sat Jun 16 01:42:34 EDT 2007 

virendra rode // <mailto:virendra.rode at gmail.com> wrote on Friday, June
15, 2007 10:41 PM:

>
>> 
>>> Has anyone configured tacacs+ and radius to be used on the same
>>> router for same types of access modes? If so, like to hear your
>>> thoughts. This setup is due to a multivendor environment that my
>>> client is running. 
>>> 
>>> some basic questions,
>>> 
>>> a. would a router authenticate tacacs+ and radius simultaneously
>>> for single user for same types of access modes? For example,
>>> 
>>> aaa new-model
>>> aaa authentication login default group tacacs+|radius line
>> 
>> If you expressed this as "aaa authentication login default group
>> tacacs+ group radius line" this would technically work.
>> 
>>> aaa authorization exec default group tacacs+|radius if-authenticated
>> 
>> As Radius doesn't allow for separate authorization request, this
>> would only work if the authentication was performed using the same
>> protocol as IOS uses the authorization AVPs from the authentication
>> response (Access-Accept). So you need to give the same order of the
>> methods, but I would not use this (see also further down).
> - --------------------------
> Isn't authentication and authorization combined within radius?

This was my point. So if you did

aaa authentication login default group tacacs+
aaa authorization exec default group radius

this would not work. 

However, 

aaa authentication login default group radius
aaa authorization exec default group radius

works, IOS remembers the information from the authentication request and
uses it to authorize the shell.

Never tried, but 

aaa authentication login default group radius
aaa authorization exec default group tacacs+

would result in two requests, one to Radius and one authorization
request to T+.

>> 
>> Bearing this in mind, I don't think using T+ and Radius for the same
>> auth types is a good idea, you'd essentially need to keep the two
>> databases in sync
> - ----------------------
> What If ACS was running in primary and secondary mode running tacacs+
> and radius?

Yes, if you use the same AAA server, this would work. But I would still
use a single method on the AAA client (the router).

> If there an operational practice or bcp template for the above
> scenario that I can look at?

Well, what's the goal? BCP is using T+ for management
(login/exec/cmd-auth/cmd-acct) and Radius for remote-access (PPP, etc.).
If you have multiple user databases to authenticate from, try to solve
this on the backend, i.e. use a single protocol with this server, and
have the server query other server(s) if required.

	oli

More information about the cisco-nsp mailing list