At the end of the lab, you want everything working as requested.So leave nothing broken at the end if at all possible.
If the requirements don't force you into one solution or another, what I prefer to do for the service selection rules would be to have one for client RADIUS, one for management RADIUS, and one for TACACS. That helps make the policy rule writing a bit simpler if the client and management RADIUS rules are in separate sections. There's less chance of a client hitting a management rule and vice versa. Also, you may not want to have the same default rule for each. In the end, try to go with the simplest solution that meets the requirements. You don't get bonus points for showing off. =) Jeff Rensink - CCIE #24834 (Wireless, R&S) Senior Technical Instructor - IPexpert On Fri, Mar 1, 2013 at 8:47 AM, Keith Clarke <[email protected]>wrote: > Hi all, first post, please go easy. > > I've been scouring the past threads and can't find an answer to the below. > Couple of questions on ACS 5: > > (1) Do you need to create separate Service Selection Rules for types of > authentication through ACS (Radius client auth via PEAP/EAP-TLS / Radius > Admin, TACACS auth to multiple devices from multiple groups in ACS)? > > (2) if the answer to the above is no, then I take it your are not allowed > to have anything broken at the end of the ACS configuration. In other words > you can't push a rule above another just to test (as it breaks a previous > auth). > > I have all the permutations I can think of working fine (RADIUS / TACACS) > using the two default Service Selection Rules, just wondering if this would > go against me in the real lab environment. > > Congrats to all who have passed, great achievement. > > Regards, > > Keith > > Sent from my iPad > > This email communication does not create or vary any contractual > relationship between Logicalis and you. Internet communications are not > secure and accordingly Logicalis does not accept any legal liability for > the contents of this message. The contents of this email are confidential > to the intended recipient at the email address to which it has been > addressed. It may not be disclosed to or used by anyone other than this > addressee, nor may it be copied in any way. If received in error, please > contact Logicalis on the above switchboard number quoting the name of the > sender and the addressee and then delete it from your system. Please note > that neither Logicalis nor the sender accepts any responsibility for > viruses and it is your responsibility to scan the email and attachments (if > any). > > Please be aware that Logicalis UK Ltd may monitor email traffic data and > also email content for security purposes. > > Logicalis UK Ltd, Registered in England and Wales No: 3732397, > Registered Office: 110 Buckingham Avenue, Slough. Berkshire, SL1 4PF > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
