Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

How to use 2 AAA server for different login purpose

Hello, could you help me?

This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.

The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.

! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin

!

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login no_tacacs enable

aaa authentication ppp default group tacacs+

aaa authorization exec default group tacacs+

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

virtual-profile virtual-template 1

virtual-profile aaa

!

interface Serial2/0:15

description ISDN30

no ip address

encapsulation ppp

no ip route-cache

no keepalive

dialer pool-member 10

isdn switch-type primary-net5

isdn tei-negotiation first-call

isdn caller xxxxxxx

no fair-queue

compress stac

no cdp enable

ppp authentication chap

ppp multilink

!

interface Virtual-Template1

ip unnumbered FastEthernet1/0

ip nat outside

ppp authentication chap

!

tacacs-server host 10.20.30.40 key ********

!

line con 0

exec-timeout 20 0

password ************

login authentication no_tacacs

transport input none

flowcontrol hardware

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 60 0

password *************

login authentication no_tacacs

transport input telnet

transport output telnet

If I just add

aaa authentication login vtymethod group tacacs+ enable

tacacs-server host 10.50.60.70 key ********

line vty 0 4

login authentication vtymethod

My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?

Thanks

  • AAA Identity and NAC
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: How to use 2 AAA server for different login purpose

Jens

I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:

aaa group server tacacs+ vty_TAC

server 10.50.60.70

aaa authentication login vtymethod group vty_TAC enable

tacacs-server host 10.50.60.70 key ********

I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.

Give it a try and let us know what happens.

HTH

Rick

1 REPLY
Hall of Fame Super Silver

Re: How to use 2 AAA server for different login purpose

Jens

I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:

aaa group server tacacs+ vty_TAC

server 10.50.60.70

aaa authentication login vtymethod group vty_TAC enable

tacacs-server host 10.50.60.70 key ********

I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.

Give it a try and let us know what happens.

HTH

Rick

130
Views
0
Helpful
1
Replies
This widget could not be displayed.