Ucs radius versus tacacs

Similar Messages

• RADIUS or TACACS Server Recommendations

  Can anyone point to a good, inexpensive RADIUS or TACACS server solution that runs on Windows?  Cisco ACS is a bit more money than is wanted to part with at the moment.
  Thanks in advance.  All replies rated.                  

  I guess that is a case only with W2K3STD where number of radius/aaa clients are limited to 50 only.
  NPS provides different functionality depending on the edition of Windows Server 2008 that you install:
  Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
  Windows Server 2008 Standard. This server edition includes NPS. With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Authenticating against RADIUS *AND* TACACS

  G'day...
  Toys:
  Cisco Secure ACS 3.2
  Cisco 1242 Access Points
  I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
  The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
  Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
  Cheers,
  Andrew.

  Hi,
  The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
  If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
  I am using the same approach to authenticate remote access clients and network admin in my Access Server.
  Rgds,
  AK

• Best Radius or Tacacs+ program?

  Morning everyone,
  I would like to set up either a TACACS or RADIUS solution here. Wondering what other people have found to be the best server for either of these, preferably free if one exists.
  Thanks

  Ok I have freeRADIUS, it is installed and running. I can authenticate the test user. I set up the router with a few basic AAA commands. The router sends requests to the RADIUS server, however, I get a line saying:
  Login incorrect: [testing/N!:\302\362}\204\307\214\337!\003\tc\302L] (from clien
  t private-network-2 port 194 cli 172.16.101.202)
    WARNING: Unprintable characters in the password. ?  Double-check the shared se
  cret on the server and the NAS!
  Login incorrect: [testing/N!:\302\362}\204\307\214\337!\003\tc\302L] (from clien
  t private-network-2 port 194 cli 172.16.101.202)
    WARNING: Unprintable characters in the password. ?  Double-check the shared se
  cret on the server and the NAS!
  The shared secret is just SECRET, password is password for testing purposes. Has anyone on here set up freeRADIUS correctly?

• Combining radius with tacacs+ with secure acs

  Hi all,
  I'm looking forward to implementing dot1x with secure acs but I also want to keep tacacs+ for command authorization (basically I also want to restrict what commands users can access). Can this be done?

  Thanks. Someone recommended having 2 servers (one for tacacs+ and one for radius) but because of the huge cost with secureacs that isn't feasible for us.

• Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

  Hello,
  I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
  the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
  The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
  So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
  Please advise.  And providing links to cisco documentation would be great too.
  Thanks,
  Brendan

  Hi Berendan,
  Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
  About Authorization
  Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
  •Management commands
  •Network access
  •VPN access
  Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
  If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
  The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
  Regards
  Karthik

• ASA 5585-X TACACS+/RADIUS Server

  All,
  Can the ASA 5585-X's act as a AAA TACACS+ and/or RADIUS server for network infrastructure devices?
  I've used Cisco Secure ACS for TACACS and RADIUS AAA..
  My client has ordered a bunch of them.   They don't have an AAA solution and were just told they will need to implement AAA on network infrastructure devices.
  Thanks for any information.
  Stephanie

  Adding to Jan's correct answer.
  The current Cisco RADIUS offerings are either the ACS product (RADIUS and TACACS+) or Identity Services Engine (ISE - RADIUS only). Both are offered in both appliance and VM formats.
  Beside NPS on Windows server, there are also open source projects of both RADIUS and TACACS servers available.

• Authentication providers for TACACS+ and RADIUS

  Does anyone supply WLS 8.1 authentication providers for TACACS+ and/or
  RADIUS?
  Ben

  So in the ACS network config you add 2 NASes (or should that be NASi?)
  One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
  Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
  RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
  With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
  Suggest you first take time to scan through the ACS docs.

• Use Tacacs+ for Admin auth & Radius for user Auth?

  Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
  If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

  dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
  eg:
  aaa group server radius rad-group
  server x.x.x.x auth-port xxxx acct-port xxxx
  aaa group server tacacs+ admin-access
  server x.x.x.x
  aaa authentication login eap-method group rad-group
  aaa authentication login auth-admin-access group admin-access local
  aaa authorization exec default group admin-access local
  now under the ssid part of the config have:
  dot11 ssid yyyyyy
  authentication open (or whatever method you use) eap eap-method
  under console/vty etc:
  login authentication auth-admin-access
  you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

• Tacacs+ Config Issues

  3750 IOS 15.0(2)SE4 tacacs when issuing tacacs-server host X.X.X.X I receive "the cli will be deprecated soon" please advise

  The syntax structure of the AAA commands for both Radius and TACACS+ are being changed with the newer code. Take a look at this link for some examples:
  http://slaptijack.com/networking/new-style-tacacs-configuration/
  Hope this helps!
  Thank you for rating helpful posts! 

• 802.1x using authentication from NT Domain Controller instead of Radius

  I would like to know if it's possible to configure 802.1x using authentication from NT Domain Controller, instead of using Radius or Tacacs.

  It is possible to use MS AD, generic LDAP, Novell NDS for authentication, it's fairly common.
  The issue is "How do get the device to talk to the authentication source ... (AD, DC, NDS, LDAP)?"
  The answer is RADIUS.
  You can configure RADIUS to pull authentication from a variety of source (depending on the RADIUS - many/most can use any of the LDAP-based systems).
  So, yes, certainly you can use the Microsoft AD, but you need RADIUS to connect the two systems (the 802.1x device and the AD server).
  If cost is the issue, try freeRADIUS (www.freeradius.org) - it's fully featured (can use LDAP, AD, NDS, Certificates, etc), it's free, and configuration is much easier than it looks ....
  Good Luck
  Scott

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

  Hello,
  I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
  Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
  Best regards.

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• ACS v4 & radius

  A device wants to talk to the ACS server to get authentication services. It wants to use CHAP. Where is the CHAP option as applied to the radius authentication function? How do  you set up radius in ACS to accept CHAP passwords authentication for radius requests?
  Specifically, Qradar wants to query Cisco ACS v4.2 to see if users logging into Qradar are authorized to do so. This fails because I can't find the place (if any) in ACS where CHAP can be used.

  ACS can act as both as RADIUS and TACACS server,
  when you say what kind of issues to expect: you need to check for open caveats in the release notes of ACS 4.1.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/index.htm

• WLC s/w v4.1 and TACACS unreachable

  In,
  Cisco WLC_Config Guide_Web & CLI_Release 4.1
  it says,
  "If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."
  Does this mean it does not support a fail-safe password like IOS does where the Enable password can be used to get into a router if TACACS+ is unreachable?

  Hi Mark,
  No, the local database is always queried first.
  Please read Chapter 5 and the section on configuring TACACS:
  "You can specify the order of authentication when multiple databases are configured, click Security > Priority Order > Management User. The Priority Order > Management User page will appear."
  It goes on further to explain:
  For Authentication Priority, choose either Radius or TACACS+ to specify which server has priority over the other when the controller attempts to authenticate management users. By default, the local database is always queried first. If the username is not found, the controller switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for Radius. The default setting is local and then Radius."
  Hope this helps.
  Paul