Cisco IOS have more than 1 Tacacs Key?

michael brock · ‎09-20-2014

Hello, I will be transitioning networks and currently my devices point to one tacacs server, but within a week I will be needing to point to a different server on a completely different network. The current network is running one key, and the network that I will be transitioning too runs a separate key. Can I plug in the new tacacs server config with the new key with no issues/

tjmaurin · ‎09-20-2014

Earlier this year I changed the tacacs configuration on a few thousand devices by replacing the tacacs configuration using CLI access and Cattools. These are the commands I entered:

service password-encryption
no aaa new-model
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
no tacacs-server host X.X.X.X

!
tacacs-server host Y.Y.Y.Y

tacacs-server key NewKey123
!
line con 0
login authentication default
line vty 0 4
login authentication default
line vty 5 15
login authentication default

As far as multiple tacacs servers, you can use tacacs groups. Here is a doc on that: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplus.html#wp1001230

HTH

pvanvuuren · ‎09-22-2014

Hi TroyBrock

The short answer is Yes, you can add the new tacacs server config with no serious issues.

You cold also add the command: " tacacs-server directed-request" to your config and this way you can control to which tacacs-server you want to authenticate to.

So, you config could look something like this:

tacacs-server host 10.1.5.49 key cisco123 <---- your current server
tacacs-server host 10.4.1.17 key ACS5.5-2013 <---- your new server
tacacs-server directed-request

-> notice they have different shared keys.

The router will use the first tacacs ip address that appears in the running config.

a quick debug confirms this:

*Mar 1 00:16:33.287: TPLUS: Queuing AAA Authentication request 5 for processing
*Mar 1 00:16:33.287: TPLUS: processing authentication start request id 5
*Mar 1 00:16:33.287: TPLUS: Authentication start packet created for 5()
*Mar 1 00:16:33.287: TPLUS: Using server 10.1.5.49
*Mar 1 00:16:33.295: TPLUS(00000005)/0: Connect Error No route to host
*Mar 1 00:16:33.299: TPLUS: Choosing next server 10.4.1.17
*Mar 1 00:16:33.299: TPLUS(00000005)/0: Connect Error No route to host

But in the case that you want to authenticate against the second tacacs server, you need to add a string to your login. Like this : user@10.4.1.17. This will only work if you have the " tacacs-server directed-request" in you your config.

Authorization and accounting will also use this tacacs-server ip you specified by the above command.

Hope it helps.

cheers

Pierre

mohanak · ‎09-22-2014

TACACS+ Server Group Example

The following example shows how to create a server group with three different TACACS+ servers members:

aaa group server tacacs tacgroup1

server 172.16.1.1

server 172.16.1.21

server 172.16.1.31

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplus.html