Cisco TACACS & ACS

[thewizard1972]

Hi

Is it possible to setup Cisco ACS on the same server for TACACS & RADIUS authentication?

Currently i have this running on the same server but RADIUS users are able to telnet on to switches in user mode only.

All TACACS features have been disabled, level 0 etc same with the group but it's made no difference, has anyone got this working?

 

[ADB100]

Slightly vague question but I'll try and offer some help...

With RADIUS authentication by default no Privilege Level is assigned by the RADIUS Server so they will be at Privilege Level 0. You can add the Cisco AV Pair 'shellriv-lvl=15' so when a user authenticates they will automatically be at Privilege Level 15 (or other depending on the value you set). If the user wishes to change privilege level they enter 'enable' or 'enable x' where 'x' is the level required. What IOS does is send a new authentication request with the username '$enab15$' (or '$enab10$' if they wanted privilege level 10). The RADIUS server needs to reference a user account of the same name.

HTH
Andy

 

[thewizard1972]

Andy

Thanks for the post, this has answered another question of mine.

The problem i have at the moment is that Radius account can telent to a switchand logon using their credential but only in user mode not exec.
Somehow i need to figure out how or what is going wrong. Why can a RADIUS account log onto Cisco Devices? Even though the account has no TACACS settings enabled? Makes no sense?

Would value any pointers..