Hello, I will be transitioning networks and currently my devices point to one tacacs server, but within a week I will be needing to point to a different server on a completely different network. The current network is running one key, and the network that I will be transitioning too runs a separate key. Can I plug in the new tacacs server config with the new key with no issues/
The short answer is Yes, you can add the new tacacs server config with no serious issues.
You cold also add the command: " tacacs-server directed-request" to your config and this way you can control to which tacacs-server you want to authenticate to.
So, you config could look something like this:
tacacs-server host 10.1.5.49 key cisco123 <---- your current server tacacs-server host 10.4.1.17 key ACS5.5-2013 <---- your new server tacacs-server directed-request
-> notice they have different shared keys.
The router will use the first tacacs ip address that appears in the running config.
a quick debug confirms this:
*Mar 1 00:16:33.287: TPLUS: Queuing AAA Authentication request 5 for processing *Mar 1 00:16:33.287: TPLUS: processing authentication start request id 5 *Mar 1 00:16:33.287: TPLUS: Authentication start packet created for 5() *Mar 1 00:16:33.287: TPLUS: Using server 10.1.5.49 *Mar 1 00:16:33.295: TPLUS(00000005)/0: Connect Error No route to host *Mar 1 00:16:33.299: TPLUS: Choosing next server 10.4.1.17 *Mar 1 00:16:33.299: TPLUS(00000005)/0: Connect Error No route to host
But in the case that you want to authenticate against the second tacacs server, you need to add a string to your login. Like this : email@example.com. This will only work if you have the " tacacs-server directed-request" in you your config.
Authorization and accounting will also use this tacacs-server ip you specified by the above command.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...