Combining both TACACS+ and RADIUS

Hey all,

I'm trying to get dot1x to authenticate using RADIUS through SecureACS but I also want TACACS+ command authoirzation. Theoretically, I can create a "virtual" interface and assign all outgoing tacacs packets to there so you can have that same switch be added to ACS twice but this doesn't seem to work (though from the config samples it should).

This is what I have down:

aaa new-model aaa authentication login default group tacacs+ local aaa authentication login not_auth none aaa authentication enable default group tacacs+ enable aaa authentication dot1x default group radius aaa authorization config-commands aaa authorization exec default group tacacs+ local aaa authorization commands 15 default group tacacs+ none aaa accounting auth-proxy default start-stop group tacacs+

interface Loopback0 ip address 192.168.2.2 255.255.255.0

ip tacacs source-interface Loopback0

Both tacacs+ and radius servers are the same IP. Is there any other command I am missing?

Thanks.

Reply to
psychogenic
Loading thread data ...

Where do you have Tacacs+ and Radius servers definitions?

What's not working exactly?

Regards Slawek

Reply to
Slawomir Furmanek

Both radius and tacacs were defined as:

tacacs-server host 192.168.x.x tacacs-server directed-request tacacs-server key 7 blabblahblah radius-server host 192.168.x.x. auth-port 1645 acct-port 1646 radius-server source-ports 1645-1646 radius-server key 7 blahblahblah

Both tacacs and radius are on the same server (which host secureACS). On the SecureACS side I have it set where the ip of the switch is configured to accept radius authentication and the loopback0 interface i created on that same switch to accept tacacs authentication. When I try to login with a network account it gives me authentication failed. :(

Erasing all of that and having the ip of the switch to accept either/or tacacs / radius authentication works fine.

This is stuff I pulled form this guide here:

formatting link
> Hey all,

Reply to
psychogenic

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.