Posture Assessment passed in Error using Cisco ISE

Similar Messages

• Another kind of error, upgrading Cisco ISE 1.1.4patch3 to 1.2

  I'm failing to upgrade our distributed ISE environment of 3 nodes.
  Using ise-upgradebundle-1.1.x-to-1.2.0.899.i386.gz, MD5 sum is verified.
  All nodes are running 1.1.4 patch 3 and the cluster is in sync.
  Trying to upgrade secondary admin node first and get this error:
  Save the current ADE-OS running configuration? (yes/no) [yes] ?
  Generating configuration...
  Saved the ADE-OS running configuration to startup successfully
  Initiating Application Upgrade...
  % Warning: Do not use Ctrl-C or close this terminal window until upgrade completes.
  STEP 1: Stopping ISE application...
  STEP 2: De-registering node from current deployment.
  % Error: De-registering node from current deployment failed.
  Starting application after rollback...
  % Warning: Do the following steps to revert node to its pre-upgrade state.
  -Ensure that node is still present in current deployment from Primary UI, if not present register this node back again.
  error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1

  Upgrading a Distributed Deployment to Cisco ISE, Release 1.2
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_011.html
  States that
  Before You Begin
  If  you do not have a secondary Administration node in the deployment,  configure one Policy Service node to be the secondary Administration  node before beginning the upgrade process.
  Upgrade the secondary Administration node  from the CLI.
  The  upgrade process automatically deregisters Node Secondary Admin Node from the deployment  and upgrades it to Release 1.2. Node Secondary Admin Node becomes the primary node of the  new deployment when it restarts. Because each deployment requires at  least one Monitoring node, the upgrade process enables the Monitoring  persona on Node B even if it was not enabled on this node in the old  deployment. If the Policy Service persona was enabled on Node B in the  old deployment, this configuration is retained after upgrading  to t

• CWA using Cisco ISE issue

  Good morning everyone,
  I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
  If anyone already had this problem, maybe could tell me more about that.
  Thanks in advance!

  Good news!
  I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
  I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
  Thanks all for your help !!!!

• Reauthentication Problem in Endpoints Using Cisco ISE 1.1

  Hi,
  Can anyone suggest me if laptop/desktop goes on sleep mode or keep connected with interace configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator...
  for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!
  but before restartiong i am able to ping all DNS, DHCP, OCS, everything....
  below is the interface configuration
  sh running-config interface gigabitEthernet 3/0/19
  Building configuration...
  Current configuration : 909 bytes
  interface GigabitEthernet3/0/19
  description Access Ports
  switchport access vlan 309
  switchport mode access
  ip access-group ACL-ALLOW in
  no logging event link-status
  power inline never
  srr-queue bandwidth share 1 60 30 10
  srr-queue bandwidth shape 10 0 0 0
  priority-queue out
  authentication control-direction in
  authentication event fail action next-method
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  mls qos trust dscp
  dot1x pae authenticator
  dot1x timeout tx-period 10
  no cdp enable
  spanning-tree bpduguard enable
  spanning-tree guard loop
  service-policy input access_in
  ip dhcp snooping limit rate 20
  end

  Hi Sachin,
  Thanks for your prompt response. Here is the port configuration. My users are connected behind Cisco IP Phone & We are using CWA for wired guest as well.
  interface GigabitEthernet0/1
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  interface GigabitEthernet0/1
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Thanks

• Delete language template in use Cisco ISE

  Hi I have a problem updating my ise, there is a faulty language template in use as I can see in the log files, its not a system template so I want to proceed to delete it, but I can't because its still in use by a sponsor or a user, the problem is that sponsor grups had this option *Maximum Duration of Account set to 999999.
  Is there a way to logout all sponsors (they are not local users)?
  this is the output log when updating the ise, I had to open a TAC case because my firs support couldn´t update form the latest 1.1.4 to 1.2
  PortalConfigUpgradeUtil: getInstance
  adding default attributes to SponsorUser.
  UpgradeUtil: Add attribute: DefaultGuestRole to object type: SponsorUser
  UpgradeUtil: Added attribute: DefaultGuestRole
  UpgradeUtil: Add attribute: DefaultTimeProfile to object type: SponsorUser
  UpgradeUtil: Added attribute: DefaultTimeProfile
  UpgradeUtil: Add attribute: DefaultLanguageNotification to object type: SponsorUser
  UpgradeUtil: Added attribute: DefaultLanguageNotification
  UpgradeUtil: Add attribute: LoginUsername to object type: SponsorUser
  UpgradeUtil: Added attribute: LoginUsername
  Setting default attributes on SponsorUser ...
  upgrade default attributes for sponsoruser: 175fa0e0-8969-11e1-8db8-005056b00068
  upgrade default attributes for sponsoruser: domainuser1
  upgrade default attributes for sponsoruser: domainuser2
  failed to update sponsor user: Invalid Language Template: Spanish
  com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
      at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
      at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  GuestUpgradeService: Failed to upgrade guest defaults Invalid Language Template: Spanish
  Error while applying changes in version: 1.2.0.882 class: com.cisco.cpm.guest.upgrade.GuestUpgradeService
  com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3162)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
      at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  Caused by: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
      at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
      at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
      at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
      ... 3 more
  ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED
  After a clean install to 1.2 and installing the backup of 1.1.4 I get the same error
  failed to update sponsor user: Invalid Language Template: Spanish
  com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
       at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
       at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  GuestUpgradeService: Failed to upgrade guest defaults Invalid Language Template: Spanish
  Error while applying changes in version: 1.2.0.882 class: com.cisco.cpm.guest.upgrade.GuestUpgradeService
  com.cisco.cpm.infrastructure.upgrade.api.UpgradeFailureException: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3162)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgrade(GuestUpgradeService.java:349)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.UpgradeServices(UpgradeServiceRegistrar.java:131)
       at com.cisco.cpm.infrastructure.upgrade.impl.UpgradeServiceRegistrar.main(UpgradeServiceRegistrar.java:184)
  Caused by: com.cisco.cpm.nsf.api.exceptions.NSFEntitySaveFailed: Invalid Language Template: Spanish
       at com.cisco.cpm.guest.impl.SponsorUserImpl.save(SponsorUserImpl.java:916)
       at com.cisco.cpm.guest.upgrade.PortalConfigUpgradeUtil.updateDefaultSponsorUserAttributes(PortalConfigUpgradeUtil.java:149)
       at com.cisco.cpm.guest.upgrade.GuestUpgradeService.upgradeGuestDefaults(GuestUpgradeService.java:3154)
       ... 3 more
  ERROR! isedataupgrade.sh FAILED. ISE GLOBAL DATA UPGRADE FAILED

  Hi, Alexander De Menezes from the tac team helped me to solve this issue, it is related to the internal oracle database.
  Kind regards

• Script errors using Cisco Agent Desktop - BE

  When pulling a website with java in the integrated browser on the CAD, we get Script Error pop-ups. Normally through IE you can disable debugging and notifications via the Advanced tab but this doesn't replicate to the integrated browser. Is there a fix?

  For this correct JavaScript errors in web page or use external browser. Newer versions of IE by default suppress pop-ups displaying JavaScript errors to the user.
  Refer to the bug: CSCsk02359

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• Cisco ISE - Not use FQDN in url-redirect parameter

  Hi,
  I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
  The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
  As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
  Thank you very much.
  Joana.

  Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
  If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
  Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

• Cisco ISE posture check for VPN

  Hello community,
  first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
  Thank you!

  The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
  The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
  http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

• Cisco ISE 1.2 and Symantec Endpoint Protection

  Hi Experts,
  Good Day!
  I'm just wondering if ISE 1.2 is able to detect an application/software in a laptop like the Symantec Endpoint Protection before giving the user an access to the network? Is it possible?
  I tried to searched over the internet however, I can't find any documentation about it.
  Thank you for your support.
  Cheers,
  Niks

  hello ,have you checked posturing service of ISE , with ISE posture service enabled you can check Antivirus Installation , Antivirus Version/ Antivirus Definition Date etc . Check the following link for different Posture Assessment Options  available
  http://www.cisco.com/en/US/partner/docs/security/ise/1.2/user_guide/ise_pos_pol.html#wp2276381

• Guest Activity on Cisco ISE

  Is it possible to monitor the web pages visited for a guest using cisco ISE?                  

  Hi Gino,
  Yes, you can use the Guest Activity option. The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
  This report is available at: Operations > Reports > Endpoints and Users > Guest Activity.
  To use this report you must first:
  •Enable the passed authentications logging category. Choose Administration > Logging > Logging Categories and select Passed authentications.
  •Enable these options on the firewall used for guest traffic:
  –Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE only requires the the IP address and accessed URL for the Guest Activity report so, if possible, limit the data to include just this information.
  –Send syslogs to Cisco ISE Monitoring node
  Please check the below link for further information,
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1056645

• Guest Posture Assessment for MAC OSX

  Hi
  I need to perform posture assessment for guest users who own MAC OSX machines , but i couldn't find Webagent available for Mac Osx just regular NAC_AGENT for MAC, so i need to know if it's supported ?
  thanx

  Mac OS X Agent need to be used for posture assessment and remediation
  http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_webagt.html#wp1556106

• Cisco ISE - multiple AD - trust relationships

  Hello,
  I have a customer who has multple AD forests and an ISE deployment running 1.1.3.
  The customer scenario is as follows - there is an Internal AD forest (internal users) and an External AD forest (external users such as consultants). The objective is to use Cisco ISE to authenticate and authorize the users in both AD forests. CIsco ISE is connected to the Internal AD forest.
  We know that multiple AD support is coming in 2014 with versioon 1.3 - other options such as LDAP/EAP-TLS are not a viable option for the customer.
  1.       Currently  – the Internal AD forest has an External, Non-transitive – one-way trust with the External Forest
       a.       The objective here is to use a feature called Selective Authentication  in order to filter the outgoing requests from the External Forest to the Internal Forest – this is a selective trust feature that can be used to control access to specific resources in Internal Forest and for authentication between Internal/External Forest via Cisco ISE
       b.      Preliminary testing has shown that a one way trust seems to work for Cisco ISE authentication/authorization
       c.       Further testing is underway to test the Selective Authentication feature (ie restrict access to specific resources etc…)
  Question : has any one used this and is this a supported method by Cisco (I know they mention a mutual trust relationship is required)?
  2.       We are exploring a second scenario - the Internal AD forest will have an External, Non-transitive – two-way trust with the External Forest
       a.       Same objectives as in  1 – we would attempt to use the Selective Authentication in the following fashion (this is an example)
            i.      External Forest has outgoing filter to allow access to specific resources in Internal Forest, and for authentication
            ii.      Internal Forest has incoming filter to deny access to all resources in External Forest
  In this case we would filter so it resembles a 1 way trust relationship - anyone try this, anyone know if this would be a supported method by Cisco?
  Thanks in advance for your replies.
  Robert C.

  Cisco has published a nice new guide on Active Directory integration with ISE 1.3. As noted there:
  "Cisco ISE can connect with multiple Active Directory domains that do not have a two-way trust or have zero trust between them. Active Directory multi-domain join comprises a set of distinct Active Directory domains with their own groups, attributes, and authorization policies for each join."
  I've setup one such deployment just recently and found it quite simple to just add the second domain and use it an en external identity source accordingly.

• Guest Wireless Cisco ISE 1.3

  I am setting up guest wireless in my enterprise using Cisco ISE 1.3.
  I have set up Authorization profiles and Authentication conditions for Guest Wireless. I am however not sure of the Authentication results (the allowed protocol section). Since I want to give Guests INTERNET-ONLY access, I have configured WLC with a ACL and tied that ACL-name to ISE. However, when it comes to Authentication results à Allowed protocols, I am unsure of what to include. For instance, I have created an allowed protocol named ‘Wireless_Access’, screenshot attached below..
  Please let me know what options have to be checked to suit a guest environment. Any help would be much appreciated.. thanks!

  Hi,
  Below you can find a configuration example for guest access using ISE1.3.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Hope this helps.
  Regards

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).