From: Christopher M. Heffner (cheffner@certified-labs.com)
Date: Wed Dec 13 2006 - 10:59:15 ART
For the routers you would just configure both the tacacs-server and
radius-server commands.
aaa new-model
tacacs-server host 1.1.1.1 key cisco
radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key cisco
For the PIX just configure two sets of aaa-server commands with
different aaa group names.
aaa-server TAC-1 protocol tacacs+
aaa-server TAC-1 (inside) host 1.1.1.1 cisco timeout 10
aaa-server RAD-1 protocol radius
aaa-server RAD-1 (inside) host 1.1.1.1 cisco timeout 10
On the AAA Server just configure two AAA clients under the Network
Configuration with different names with the same ip address and then
chose the correct protocol for tacacs or radius.
HTH.
Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
________________________________
From: Alec [mailto:packtmon@yahoo.com]
Sent: Tuesday, December 12, 2006 6:56 PM
To: Christopher M. Heffner; Tony Schaffran; Group Study
Subject: RE: ACS using both Radius & Tacacs+ simultaneously
Hey Christopher,
This is great to know. Thanks for posting this info.
But, thinking about what you're saying, I'm not sure how this would be
configured on the AAA client side.
When the protocol (Tacacs or Radius) is specified, you can only enter
one protocol. So, would you config 2 AAA groups, one for Tacacs and
another for Radius and just point each group to the same ACS server
address?
Also, how is this configured on the ACS side?
Thanks again, A
"Christopher M. Heffner" <cheffner@certified-labs.com> wrote:
Actually this changed in 3.3 ACS code.
You can now have a device communicate to the same ACS via TACACS and
RADIUS at the same time.
HTH
Christopher M. Heffner, CCIE 8211, CCSI 98760
Strategic Network Solutions, Inc.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tony Schaffran
Sent: Tuesday, December 12, 2006 3:03 PM
To: 'Alec'; 'Group Study'
Subject: RE: ACS using both Radius & Tacacs+ simultaneously
Unless it has changed in version 4.0, that is not possible.
You can only have one entry for each network device and it needs to be
configured as a TACACS or RADIUS client, not both.
Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Alec
Sent: Tuesday, December 12, 2006 9:15 AM
To: Group Study
Subject: ACS using both Radius & Tacacs+ simultaneously
Hi all,
I noticed that some ACS features require Radius eg downloadable acl's
while other features require Tacacs+ eg command accounting.
If I wanted to use both features but only had a single ACS server
would
that be possble?
If so, how would I configure a single ACS to run both Tacacs+ and
Radius
simultaneously?
Thanks in advance
---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART