Can you be more specific about where the problem is you’re facing? Can you tell us which commands originally were not available and what alternative commands you tried using? That way we can take a closer look and help you out more effectively.
@ReneMolenaar is continuously in the process of updating the content on NetworkLessons, for both the new exams, as well as keeping up with the changes in the IOS commands. Thanks for pointing this out, I will let Rene know to make a note of updating this content accordingly.
Difference between tacacs server, radius server and radius /tacacs client.
I am trying to understand the basic difference between tacacs client and tacacs server and radius client and radius server and ISE .
Since TACACS+ is a cisco proprietary, we can only configure centralized server on CISCO ACS or CISCO ISE acting as TACACS server , while a windows 2012 server as centralized RADIUS server? while network access devices such as cisco switches, as either Tacacs clients or Radius clients with source interface vlan on switch that carries the radius or tacacs traffic towards the centralized servers ?
In shared authetnication model - your windows PC or macintosh laptop is a supplicant while your cisco switch is authenticator which authenticates using credentials of local directory on ise or LDAP on microsoft AD server ?
Is authentication done locally at cisco switch with response of Radius server from microsoft AD or tacacs+ CIsco ISE , or is it done all at end devices through secured tunnel ? I am not getting deeper in to authentication protocols like EAP FAST or PEAP. I just want to understand the device roles, as where the authentication process happens in between the three nodes starting with host supplicants, authenticator (network switch) and back end authentication device like ISE or microsft AD LDAP.
TACACS+ and RADIUS are two different families of protocols that perform similar functions. Some details about each:
TACACS+ is Cisco proprietary but started out as an authentication for UNIX systems in the 1980s
TACACS+ can be run on a VM, and there are versions that can be run on Windows as well
TACACS+ uses TCP
RADIUS is a protocol standardized by the IETF
RADIUS can run on most Linux and Windows platforms
RADIUS uses UDP by default but can also be configured to use TCP
Both fundamentally do the same thing but each has some specialisations that the other may not cover. As far as ISE goes, it uses TACACS+ for network device management and auditing, but it also supports RADIUS for standard AAA services and integrates with external RADIUS servers as well. You can find more info about ISE at this Cisco Datasheet.
As far as RADIUS and TACACS+ clients go, these can be any devices, either network devices or hosts, that support these protocols. The vast majority of consumer grade devices will support RADIUS, but a smaller, but substantial subset will also support TACACS+.
In a configuration similar to that in the lesson, the windows PC is the supplicant, the authenticator is the switch, and the authentication server is the external TACACS+/RADIUS server. So the authenticator will do the authentication, but will use the credential information found in the database of the authentication server to authenticate or deny the supplicant. However, if you configure the switch to have the local database as a backup, the role of the authentication server will be taken over by the switch in the event of a failure in communication with the authentication server.
So authentication is done locally at the switch with the response from the server.
thanks for much detailed explanation.
1)I have seen cipher configured on ISE in some examples, does ISE play role of authenticator here bypassing the authenticator, which is a cisco switch ?
2) in a regular environment, where is centralized RADIUS server configured ? I know 2012 windows server can act as Active directory with LDAP for storing account credentials, where do RADIUS servers and TACACS+ servers reside ? do they reside on Linux boxes or some special products
If you employ the use of an ISE device, it plays the role of the authentication server. The authentication takes place at the switch. It is the only place that it can take place, because that’s where the physical port for which authentication takes place resides. The switch will query the ISE (authentication server) and respond by either enabling or disabling access itself (which is the authenticator, the switch itself.)
A RADIUS server (or any type of authentication server) can reside anywhere you like as long as the authenticator has network access to the authentication server to query it. Usually, the authentication server will exist on some Windows or Linux server on the enterprise’s datacentre, if it exists, either as a physical device or as a VM. But there is no limitation to where it will be. The only thing that is necessary is network connectivity from the authenticator to the authentication server.
This command allows you to specify the radius server. You must specify an IP address, but if you don’t specify the auth-port and the acct-port, the default values are 1645 and 1646 respectively as seen in this Cisco command reference. Now according to the IETF and in RFCs 2865 and 2866, RADIUS uses 1812 and 1813 but many systems use the 1645 and 1646 as defaults. In any case, you must use the ports configured on your RADIUS server, and in the lesson, these are the ports used by the Elecktron Radius server.
For configurations that use AAA for various command authorizations, take a look at the following lesson:
One of the things that 802.1X is capable of doing is instructing the switch not only to provide access to a host on a particular port, but also to define the VLAN on which that port will operate. This is useful as you can configure the RADIUS server to enable particular VLANs on specific access ports based on the authentication credentials of the host. That way you can predefine which VLAN each user will have access to.
One of the prerequisites for this to function correctly is that the VLAN to which a particular host is to be assigned must exist on the switch.
Based on this particular error message, it seems that the RADIUS server was attempting to assign a VLAN to the access port of that particular host to a VLAN that does not exist.
Can you share with us the context of this particular error message? Does this explanation fit well with the specific scenario that you see this error message appear? Let us know…
Hi . Quick question . I am changing the IP Schema with OLD VLAN not the same as NEW VLAN on a small branch site and i would like to know how i would be migrating the User IP address to use NEW IP SUBNETS with 802.1x enabled switch
Keep in mind that 802.1X is a purely Layer 2 mechanism. the EAPoL protocol that is used from the supplicant to the authenticator occurs independently of any IP addressing scheme. Changing the IP addressing scheme of the clients that use the 802.1X feature will not affect the AAA operation.
The only IP connectivity that is necessary is between the Authenticator (the switch in the case of the lesson topology) and the authentication server running RADIUS or TACACS+. If the IP addresses on networks between these devices have changed, make sure that IP communication is restored before attempting to authentication any supplicants.
Network users might bring their own wireless router from home and connect it to the switch so they can share wireless internet with all their colleagues. An access point like this is called a rogue access point and this is something you DON’T want to see on your network. It’s hard to detect because on the switch you’ll only see one MAC address. The router is doing NAT so you will only see one IP address, this is something you can’t prevent with port security. One way of dealing with issues like this is to use AAA.
I am wondering. If the network users have been provided with the necessary credentials to access the network and pass the AAA check, what prevents them from using the same credentials for the Wireless Router? Couldn’t they just use the same username/password to authenticate the router itself?
Yes, assuming the wireless router/AP supports 802.1X authentication, you can use the credentials you are given for your PC to connect to the network. But AAA gives you many more options for authenticating devices on a network using 802.1X. For example, you can configure the AAA server so that only one instance of the user can be used at any time. So if you’re already logged in using your PC, you can’t use the same credentials for the router/AP. Sure, you can unplug your PC and plug in the router/AP, but not both.
To resolve this, with AAA you can also specify the MAC address that is allowed on a particular port. So even if you put in your correct credentials, the MAC address of your router/AP will be disallowed.
So you can resolve the security issues due to the fact that you have much more control over many more factors of authentication.