AAA question

Answered Question
Dec 16th, 2008

I would like to use 2 different Tacacs Servers with 2 different keys on an AS5300. I can see that I can add as many Tacacs-servers as I want to a config but I seem to only be able to add in 1 key. Both Tacacs Servers are owned by 2 different 3rd party companies. Is it possible or can you only add 1 key to the router config?

Regards

Mary

I have this problem too.
0 votes
Correct Answer by cisco24x7 about 7 years 12 months ago

Depend on version of IOS you use. With IOS

12.3 and higher, you can use different tacacs

keys as seen below on the 3640:

C3640#sh run | i tacacs-server

tacacs-server host 192.168.15.208 key 123456

tacacs-server host 192.168.3.10 key 12345678

tacacs-server directed-request

C3640#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cisco24x7 Tue, 12/16/2008 - 09:40

Depend on version of IOS you use. With IOS

12.3 and higher, you can use different tacacs

keys as seen below on the 3640:

C3640#sh run | i tacacs-server

tacacs-server host 192.168.15.208 key 123456

tacacs-server host 192.168.3.10 key 12345678

tacacs-server directed-request

C3640#

maryodriscoll Wed, 12/17/2008 - 06:21

Hiya

Yes this does indeed work but I only want certain subnets to use tacacs server 1 and other subnets to use tacacs server 2 - I can't see a way of splitting this down on the IOS.

Regards

Mary

Collin Clark Wed, 12/17/2008 - 07:06

I think you could create two different AAA groups. Each will query both TACACS servers, obviously failing on one but it should successful on the other and visa-versa. Actually one group should work, but you might want to split them up for clarification.

cisco24x7 Wed, 12/17/2008 - 07:41

Is this something you've tried and it works

for you?

You can create multiple AAA groups on the

routers for multiple AAA groups but you can

only use them for AAA accounting purposes.

You can not use them for AAA authentication

purposes.

Actions

This Discussion