Solved: Secondary TACACS server

ttran01 · ‎02-24-2004

I need some assistance on configuring a secondary TACACS server. I have a primary and secondary server. I would like AAA requests send to the secondary server whenever the primary is either down or the service on the primary has stopped. Any ideas?

pvanvuuren · ‎02-29-2004

You can consider two methods:

The old school one like this -

aaa new-model

aaa authentication login default group tacacs+ local

!

tacacs-server host 10.1.122.11

tacacs-server host 10.2.32.13

tacacs-server key abcdef

or, try a group method like this:

aaa new-model

aaa group server tacacs+ ABCGROUP

server 10.1.1.5

server 10.1.1.13

!

aaa authentication login default group ABCGROUP line

!

tacacs-server host 10.1.1.5

tacacs-server host 10.1.1.13

tacacs-server key abcdef

!

Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.

!

Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.

Here;s another tip:

By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"

!

Let me know how things go.

Cheers

View solution in original post

jhillend · ‎02-24-2004

If this is for IOS, just configure a second server (the secondary server) on IOS:

tacacs-server x.x.x.x key xyz

ttran01 · ‎02-24-2004

Unfortunately I tried that and it doesn't work the way I want it to. I have both the primary and secondary configured and when I stop the primary services it does not fall back to the secondary it just falls to the local. Thanks for the feedback. Any other ideas?

pigotts · ‎02-28-2004

Did you set the server groups?

aaa group server tacacs+ {mygroup1}

nn.nn.nn.nn key abcd

nn.nn.nn.nn key defg

then modify the authen/author/acct lines to reflect the group name vs. the default of tacacs+

Steve

pvanvuuren · ‎02-29-2004

You can consider two methods:

The old school one like this -

aaa new-model

aaa authentication login default group tacacs+ local

!

tacacs-server host 10.1.122.11

tacacs-server host 10.2.32.13

tacacs-server key abcdef

or, try a group method like this:

aaa new-model

aaa group server tacacs+ ABCGROUP

server 10.1.1.5

server 10.1.1.13

!

aaa authentication login default group ABCGROUP line

!

tacacs-server host 10.1.1.5

tacacs-server host 10.1.1.13

tacacs-server key abcdef

!

Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.

!

Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.

Here;s another tip:

By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"

!

Let me know how things go.

Cheers

ttran01 · ‎03-01-2004

It worked with the group method. Thanks for everyone's help.