06-20-2007 11:41 PM - edited 03-10-2019 03:13 PM
SCENARIO:
2 Cisco Secure ACS are configured to authenticate user logon to Active Directory.
The TACACS servers are configured in IOS
tacacs-server host 10.30.18.24
tacacs-server host 10.30.18.25
PROBLEM:
When the primary tacacs server 10.30.18.24 failed to validate user logon, we were logged out from the router. Then I tried to switch the order of the the TACACS servers in the router config i.e.
tacacs-server host 10.30.18.25
tacacs-server host 10.30.18.24
and the we were granted access. Can anyone explain why 10.30.18.25 did not take over user validation in the first place ?
Regards
Simon
Solved! Go to Solution.
06-21-2007 03:49 AM
Hi Simon,
Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.
if you turn on,
debug aaa authentication
then you'll get 3 kind of responses.
- PASS
- FAIL
- ERROR
PASS -> Needs no explaination
FAIL -> Authentication server was available but server rejected the request for the user due to some reason.
ERROR -> There was no response from Authentication server. Probably its not reachable.
ERROR is the only condition when it will try to contact the next server defined in your configuration.
So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.
Regards,
Prem
06-21-2007 03:49 AM
Hi Simon,
Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.
if you turn on,
debug aaa authentication
then you'll get 3 kind of responses.
- PASS
- FAIL
- ERROR
PASS -> Needs no explaination
FAIL -> Authentication server was available but server rejected the request for the user due to some reason.
ERROR -> There was no response from Authentication server. Probably its not reachable.
ERROR is the only condition when it will try to contact the next server defined in your configuration.
So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.
Regards,
Prem
06-21-2007 04:48 AM
Thanks Prem for this useful answer.
Regards,
Simon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: