Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
1
Helpful
3
Replies

TACACS+ for Network User Authentication

Go to solution
scamarda
Cisco Employee
Cisco Employee

‎06-28-2017 05:35 AM

If I am not mistaken, with ACS you could use TACACS+ as the NAD protocol to authenticate network users.  Looking through the documentation and menus, I do not see that capability in ISE.  Is this configuration possible? Or is TACACS+ in ISE solely for Dev Admin?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to ldanny

‎06-28-2017 01:31 PM

Just to clarify,

Endpoint authentication such as dot1x and MAB, CWA uses RADIUS as a backend protocol. These services generally refers to Network access and RADIUS is used in that context and ACS supports RADIUS. ACS support dot1x and MAB in that context.

Device administration can use TACACS+ or RADIUS. However TACACS+ is the prevalently used method since it support authentication, session authorization, command authorization and accounting. It offers greater flexibility for Device management and audit. RADIUS protocol can be used by Third party devices that do not support TACACS+. RADIUS authorization needs to send the attributes during authorization for that.

ISE has all the protocol support as that of ACS. ISE 2.0 started supporting TACACS+. If you are using ISE version prior to ISE 2.0 you many not see that. TACACS+ is a service that needs to be enabled in the UI under Administration --> Deployment for that ISE node. We have a workcenter for Device administration where you see relevant information.

-Krishnan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎06-28-2017 06:27 AM

Hi,

ACS can use T+ for Network Access as long your in no need of EAP which is not supported , hence the use of Radius for NA.

To answer your question ISE uses Radius for Network Access and T+ for Device Management only.

-Danny

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to ldanny

‎06-28-2017 01:31 PM

Just to clarify,

Endpoint authentication such as dot1x and MAB, CWA uses RADIUS as a backend protocol. These services generally refers to Network access and RADIUS is used in that context and ACS supports RADIUS. ACS support dot1x and MAB in that context.

Device administration can use TACACS+ or RADIUS. However TACACS+ is the prevalently used method since it support authentication, session authorization, command authorization and accounting. It offers greater flexibility for Device management and audit. RADIUS protocol can be used by Third party devices that do not support TACACS+. RADIUS authorization needs to send the attributes during authorization for that.

ISE has all the protocol support as that of ACS. ISE 2.0 started supporting TACACS+. If you are using ISE version prior to ISE 2.0 you many not see that. TACACS+ is a service that needs to be enabled in the UI under Administration --> Deployment for that ISE node. We have a workcenter for Device administration where you see relevant information.

-Krishnan

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-28-2017 06:48 AM

Can you please explain the use case

0 Helpful
Customers Also Viewed These Support Documents