Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco IOS have more than 1 Tacacs Key?

Hello, I will be transitioning networks and currently my devices point to one tacacs server, but within a week I will be needing to point to a different server on a completely different network. The current network is running one key, and the network that I will be transitioning too runs a separate key. Can I plug in the new  tacacs server config with the new key with no issues/

Everyone's tags (1)
3 REPLIES
Community Member

Earlier this year I changed

Earlier this year I changed the tacacs configuration on a few thousand devices by replacing the tacacs configuration using CLI access and Cattools.  These are the commands I entered:

service password-encryption
no aaa new-model
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
no tacacs-server host X.X.X.X

!
tacacs-server host Y.Y.Y.Y

tacacs-server key NewKey123
!
line con 0
 login authentication default
line vty 0 4
 login authentication default
line vty 5 15
 login authentication default

 

 

As far as multiple tacacs servers, you can use tacacs groups.  Here is a doc on that: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scftplus.html#wp1001230

 

HTH

Bronze

Hi TroyBrockThe short answer

Hi TroyBrock

The short answer is Yes, you can add the new tacacs server config with no serious issues.

You cold also add the command: " tacacs-server directed-request"   to your config and this way you can control to which tacacs-server you want to authenticate to.

So, you config could look something like this:

tacacs-server host 10.1.5.49 key cisco123            <---- your current  server
tacacs-server host 10.4.1.17 key ACS5.5-2013     <---- your new server
tacacs-server directed-request

-> notice they have different shared keys.

The router will use the first tacacs ip address that appears in the running config.

a quick debug confirms this:

*Mar  1 00:16:33.287: TPLUS: Queuing AAA Authentication request 5 for processing
*Mar  1 00:16:33.287: TPLUS: processing authentication start request id 5
*Mar  1 00:16:33.287: TPLUS: Authentication start packet created for 5()
*Mar  1 00:16:33.287: TPLUS: Using server 10.1.5.49
*Mar  1 00:16:33.295: TPLUS(00000005)/0: Connect Error No route to host
*Mar  1 00:16:33.299: TPLUS: Choosing next server 10.4.1.17
*Mar  1 00:16:33.299: TPLUS(00000005)/0: Connect Error No route to host

But in the case that you want to authenticate against the second tacacs server, you need to add a string to your login. Like this :   user@10.4.1.17.  This will only work if you have the " tacacs-server directed-request" in you your config.

 Authorization and accounting will also use this tacacs-server ip you specified by the above command.

Hope it helps.

cheers

Pierre

 

 

 

 

Cisco Employee

TACACS+ Server Group Example

TACACS+ Server Group Example

The following example shows how to create a server group with three different TACACS+ servers members:

aaa group server tacacs tacgroup1
server 172.16.1.1 
server 172.16.1.21 
652
Views
0
Helpful
3
Replies
CreatePlease to create content