Has anyone succesfully implemented secure acs using both radius and tacacs+ without the need to have two differernt servers? I'm planning to rollout dot1x (which requires authentication to be done via radius) but I also want command authorization from tacacs+ which I can't seem to emulate with radius.
Thanks.
It may not be exactly what you are looking for, but you can do privilege level authorization with RADIUS.
aaa new-model aaa authentication login myradius group radius local aaa authorization exec my-authradius group radius if-authenticated radius-server host w.x.y.z auth-port 1645 acct-port 1646 non-standard
line vty 0 4 password 7 23459287234 authorization exec my-authradius login authentication myradius
In your radius config, define return list attributes that sets a user's privilege level:
Service-Type: NAS-Prompt Cisco-AVPAIR: shell:priv-lvl=15
If a user logs in via telnet, they will automatically be put into privilege level 15 (enable mode). You can set the priv level for individual users or groups of users. Then you can tune the privilege level required for certain commands using the privilege command.
Hi Mark,
Thanks. Yes, I saw that with radius. However, I didn't know you can f> It may not be exactly what you are looking for, but you can do
Yes. You can fine-tune what priveledge level is required for which commands on a per-switch basis using the privilege command in global config mode. For example, if you wanted to require privilege level 7 for the command who, use the following
privilege exec level 7 who
Rats. That would suck though if I had to do this for 50 switches? :)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.