ExtremeSwitching (EXOS)

Expand all | Collapse all

Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

  • 1.  Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 08:59
    Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?
    If yes then please share sample Configuration for Summit X440-24-G2 Switch.



  • 2.  RE: Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 11:44
    Hi,

    the documentation says regarding enable tacacs:
    After they have been enabled, all web and Telnet logins are sent to one of the two TACACS+ servers for login name authentication.
    RADIUS can be enabled and disabled independently for switch management and 802.1X, thus I would say that yes, EXOS should be able to use TACACS+ for switch management access authentication and RADIUS for 802.1X at the same time.

    Thanks,
    Erik


  • 3.  RE: Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 11:44
    Please see the below comments, it seems as if EXOS does not support TACACS+ and RADIUS at the same time, not even for different authentication realms.


  • 4.  RE: Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 11:50
    Per the EXOS User Guide:

    "TACACS+ provides many of the same features provided by RADIUS. You cannot use RADIUS
    and TACACS+ at the same time."

    I have in the past had both configured on the same switch, but used them independently. This is helpful in a migration from TACACS to RADIUS. Both authentication methods were not enabled at the same time.


  • 5.  RE: Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 11:50
    Thanks for the information!

    But TACACS+ does not support EAP, thus it does not support 802.1X authentication, while RADIUS does. According to the User Guide, EXOS cannot use TACACS+ to authenticate network login using TACACS+.

    Does enabling TACACS+ (for CLI access to the switch) really interfere with using RADIUS for 802.1X (netlogin) only? I think that is an unexpected limitation of EXOS.

    Anyway, with the User Guide explicitly and repeatedly stating that TACACS+ and RADIUS cannot be used at the same time on EXOS, I stand corrected, EXOS does not seem to support this.

    Thanks,
    Erik


  • 6.  RE: Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 11:50
    Understood. It was just clarification on that only one could be used at a time. See error below if both are attempted to be enabled:

    * X450a-24t.8 # en radius
    Error: You have TACACS+ enabled. To enable RADIUS, disable TACACS+

    * X450a-24t.9 # dis tacacs
    * X450a-24t.10 # en radius
    * X450a-24t.11 #



  • 7.  RE: Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 11:50
    Thanks for confirming this with switch output!


  • 8.  RE: Can we configure TACACS+ Server for Switch Management and 802.1X User Authentication on RADIUS server on same EXOS switch?

    Posted 11-26-2018 14:33
    Thanks for your inputs, so finally I conclude that TACACS & RADIUS can not be configured simultaneously in EXOS. So to enable 802.1x User authentication through a RADIUS, we must disable TACACS for switch Management.
    Please correct me if I am wrong.