2 tacacs

Answered Question
Apr 30th, 2008
User Badges:
  • Silver, 250 points or more

hello


suppose i configured 2 aaa authentication login methods: one for dialup users and the second for telnet from network administrator:

aaa authentication login default group tacacs+ local

aaa authentication login whoisit group tacacs+ local enable


and suppose we will use 2 tacacs servers: one for each method.

is it possible to map each authentication method to one tacacs server?

i don't think so, because when defing the tacacs server there is no keyword to specify the aaa method.

any idea?

Correct Answer by mohammedmahmoud about 9 years 1 month ago

Hi Oussama,


Yes, you can use server-group:


aaa group server tacacs+ group1

server 1.1.1.1

!

aaa authentication login test1 group group1 local


tacacs-server host 1.1.1.1 key cisco


BR,

Mohammed Mahmoud.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Correct Answer
mohammedmahmoud Wed, 04/30/2008 - 03:17
User Badges:
  • Green, 3000 points or more

Hi Oussama,


Yes, you can use server-group:


aaa group server tacacs+ group1

server 1.1.1.1

!

aaa authentication login test1 group group1 local


tacacs-server host 1.1.1.1 key cisco


BR,

Mohammed Mahmoud.

Richard Burts Wed, 04/30/2008 - 08:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Oussama


Mohammed is quite correct. I have done exactly what you are asking about to configure a router to support dial up users and to configure aaa authentication so that dial up users uathenticate with one TACACS server and the administrative (telnet) users authenticate with a different server. The ability to configure server groups makes this possible. And it works very well.


In my implementation I found it easier to let the dial users use the default authentication method (with one server group) and to specify a named method for the administrative users (with a different server group).


HTH


Rick

ohassairi Wed, 04/30/2008 - 21:19
User Badges:
  • Silver, 250 points or more

hi rick


that's exactlly what i will do: dial users use the default authentication method and administrators use an other one.


thanks

ohassairi Wed, 04/30/2008 - 21:16
User Badges:
  • Silver, 250 points or more

thanks mohammed. you have usually the solutions to my problems :-)

mohammedmahmoud Thu, 05/01/2008 - 03:52
User Badges:
  • Green, 3000 points or more

Hi Oussama,


You are very welcomed :), and thank you for the rating.


BR,

Mohammed Mahmoud.

Actions

This Discussion