02-24-2004 12:44 PM - edited 03-10-2019 07:40 AM
I need some assistance on configuring a secondary TACACS server. I have a primary and secondary server. I would like AAA requests send to the secondary server whenever the primary is either down or the service on the primary has stopped. Any ideas?
Solved! Go to Solution.
02-29-2004 11:54 AM
You can consider two methods:
The old school one like this -
aaa new-model
aaa authentication login default group tacacs+ local
!
tacacs-server host 10.1.122.11
tacacs-server host 10.2.32.13
tacacs-server key abcdef
or, try a group method like this:
aaa new-model
aaa group server tacacs+ ABCGROUP
server 10.1.1.5
server 10.1.1.13
!
aaa authentication login default group ABCGROUP line
!
tacacs-server host 10.1.1.5
tacacs-server host 10.1.1.13
tacacs-server key abcdef
!
Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.
!
Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.
Here;s another tip:
By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"
!
Let me know how things go.
Cheers
02-24-2004 02:03 PM
If this is for IOS, just configure a second server (the secondary server) on IOS:
tacacs-server x.x.x.x key xyz
02-24-2004 02:42 PM
Unfortunately I tried that and it doesn't work the way I want it to. I have both the primary and secondary configured and when I stop the primary services it does not fall back to the secondary it just falls to the local. Thanks for the feedback. Any other ideas?
02-28-2004 03:43 PM
Did you set the server groups?
aaa group server tacacs+ {mygroup1}
nn.nn.nn.nn key abcd
nn.nn.nn.nn key defg
then modify the authen/author/acct lines to reflect the group name vs. the default of tacacs+
Steve
02-29-2004 11:54 AM
You can consider two methods:
The old school one like this -
aaa new-model
aaa authentication login default group tacacs+ local
!
tacacs-server host 10.1.122.11
tacacs-server host 10.2.32.13
tacacs-server key abcdef
or, try a group method like this:
aaa new-model
aaa group server tacacs+ ABCGROUP
server 10.1.1.5
server 10.1.1.13
!
aaa authentication login default group ABCGROUP line
!
tacacs-server host 10.1.1.5
tacacs-server host 10.1.1.13
tacacs-server key abcdef
!
Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.
!
Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.
Here;s another tip:
By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"
!
Let me know how things go.
Cheers
03-01-2004 12:41 PM
It worked with the group method. Thanks for everyone's help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide