Jonathon,
Do you actually have this working in production? I have never configured it this way
and I do not think that I would recommend using different AAA protocols to back each
other up. The first reason is related to the adminstrative burden that this would
entail - since the authorization and accounting formats are different on tac+ and
radius I think that verifying that each change made to the primary policy database (in
tac+) is reflected completely and properly in the secondary policy db (radius) would
be a considerable task. Add to this the fact that tac+ allows user attributes to
override group attributes when some radius implementations do not and the fact that
some parameters have different syntax in the protocols (ie. raccess vs. rtelnet) and I
think that this could be a rough ride.
There is another difference in the two protocols that may cause headaches WRT
authorization - tac+ completes authentication and authorization in discrete steps,
radius typically caches the authorization attributes obtained during the
authentication phase. What happens when the user is authenticated via the radius
failover option and then authorization is needed - are the cached attributes from the
authentication used, or is there another communication with the radius server during
which the user is prompted for the authentication information (ie account and
password)?
Regards,
tcw
>Date: Sat, 12 Feb 2000 09:44:00 +1100
>From: Jonathon William Ross <[EMAIL PROTECTED]>
>Subject: Re: configuring tacacs+ & radius on the same router
>
>Quite straightforward, as a quick read of the documentation available on
>CCO would have told you. This is assuming your IOS image supports RADIUS
>(some don't):
>
>radius-server host <hostname>
>radius-server key <password>
><insert-tacacs-server-config>
>aaa new-model
>aaa authentication ppp default tacacs+ radius
>
>ie: radius is only consulted if the tacacs+ server FAILS. If the
>tacacs+ server denies the user, radius is never consulted.
>
> JWR
>
>
>On Fri, Feb 11, 2000 at 12:58:10PM +0000, Gerardo Soto said:
>- --> Hello everyone:
>- -->
>- --> I am using a single 2511 cisco router that is already
>- --> running tacacs+ for authorization and accounting purposes. I am planning
>- --> to use a backup server running radius daemon . My question is :
>- --> Can the same router be configured to run tacacs+ and radius simultaneosly
>- --> ? I mean , Like I said the router is already running tacacs+ with a
>- --> specific host , I am going to use a different host to run radius daemon
>- --> on a ( nt server). Will the additional radius daemon affect the router?
>- -->
>- --> Any help will be deeply appreciated.
>- --> Regards,
>- -->
>- --> *******************************************************************************
>- --> Ing. Gerardo Soto Casados
>- --> Compu-Redes
>- --> Labastida # 37 Esq. Tijuana
>- --> San Martin Texmelucan Puebla
>- --> Tel. y Fax (012)4845888
>- --> e-mail: [EMAIL PROTECTED]
>- --> http://www.compu-redes.net.mx
>- --> *******************************************************************************
>
>- --
>+---------------------------------------------------+----------------------+
>| Jonathon W. Ross | Web: www.isa.net.au |
>| Systems Administrator | Tel: +61 2 6230 4444 |
>| Internet Solutions Australia Pty Ltd | Fax: +61 2 6230 4455 |
>| Wholly Owned Subsidiary of Ramsgate Resources Ltd | ACN: 086 692 211 |
>+---------------------------------------------------+----------------------+
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
