Solved: AAA question

maryodriscoll · ‎12-16-2008

I would like to use 2 different Tacacs Servers with 2 different keys on an AS5300. I can see that I can add as many Tacacs-servers as I want to a config but I seem to only be able to add in 1 key. Both Tacacs Servers are owned by 2 different 3rd party companies. Is it possible or can you only add 1 key to the router config?

Regards

Mary

cisco24x7 · ‎12-16-2008

Depend on version of IOS you use. With IOS

12.3 and higher, you can use different tacacs

keys as seen below on the 3640:

C3640#sh run | i tacacs-server

tacacs-server host 192.168.15.208 key 123456

tacacs-server host 192.168.3.10 key 12345678

tacacs-server directed-request

C3640#

View solution in original post

cisco24x7 · ‎12-16-2008

Depend on version of IOS you use. With IOS

12.3 and higher, you can use different tacacs

keys as seen below on the 3640:

C3640#sh run | i tacacs-server

tacacs-server host 192.168.15.208 key 123456

tacacs-server host 192.168.3.10 key 12345678

tacacs-server directed-request

C3640#

maryodriscoll · ‎12-17-2008

Hiya

Yes this does indeed work but I only want certain subnets to use tacacs server 1 and other subnets to use tacacs server 2 - I can't see a way of splitting this down on the IOS.

Regards

Mary

Collin Clark · ‎12-17-2008

I think you could create two different AAA groups. Each will query both TACACS servers, obviously failing on one but it should successful on the other and visa-versa. Actually one group should work, but you might want to split them up for clarification.

cisco24x7 · ‎12-17-2008

Is this something you've tried and it works

for you?

You can create multiple AAA groups on the

routers for multiple AAA groups but you can

only use them for AAA accounting purposes.

You can not use them for AAA authentication

purposes.