How to use 2 AAA server for different login purpose

Answered Question
Oct 19th, 2007
User Badges:

Hello, could you help me?


This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.


The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.



! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin

!

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login no_tacacs enable

aaa authentication ppp default group tacacs+

aaa authorization exec default group tacacs+

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

virtual-profile virtual-template 1

virtual-profile aaa

!

interface Serial2/0:15

description ISDN30

no ip address

encapsulation ppp

no ip route-cache

no keepalive

dialer pool-member 10

isdn switch-type primary-net5

isdn tei-negotiation first-call

isdn caller xxxxxxx

no fair-queue

compress stac

no cdp enable

ppp authentication chap

ppp multilink

!

interface Virtual-Template1

ip unnumbered FastEthernet1/0

ip nat outside

ppp authentication chap

!

tacacs-server host 10.20.30.40 key ********

!

line con 0

exec-timeout 20 0

password ************

login authentication no_tacacs

transport input none

flowcontrol hardware

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 60 0

password *************

login authentication no_tacacs

transport input telnet

transport output telnet


If I just add


aaa authentication login vtymethod group tacacs+ enable

tacacs-server host 10.50.60.70 key ********

line vty 0 4

login authentication vtymethod


My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?


Thanks


Correct Answer by Richard Burts about 9 years 6 months ago

Jens


I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:

aaa group server tacacs+ vty_TAC

server 10.50.60.70

aaa authentication login vtymethod group vty_TAC enable

tacacs-server host 10.50.60.70 key ********


I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.


Give it a try and let us know what happens.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Richard Burts Fri, 10/19/2007 - 06:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jens


I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:

aaa group server tacacs+ vty_TAC

server 10.50.60.70

aaa authentication login vtymethod group vty_TAC enable

tacacs-server host 10.50.60.70 key ********


I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.


Give it a try and let us know what happens.


HTH


Rick

Actions

This Discussion