Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Secondary TACACS server

I need some assistance on configuring a secondary TACACS server. I have a primary and secondary server. I would like AAA requests send to the secondary server whenever the primary is either down or the service on the primary has stopped. Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Secondary TACACS server

You can consider two methods:

The old school one like this -

aaa new-model

aaa authentication login default group tacacs+ local

!

tacacs-server host 10.1.122.11

tacacs-server host 10.2.32.13

tacacs-server key abcdef

or, try a group method like this:

aaa new-model

aaa group server tacacs+ ABCGROUP

server 10.1.1.5

server 10.1.1.13

!

aaa authentication login default group ABCGROUP line

!

tacacs-server host 10.1.1.5

tacacs-server host 10.1.1.13

tacacs-server key abcdef

!

Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.

!

Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.

Here;s another tip:

By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"

!

Let me know how things go.

Cheers

5 REPLIES
New Member

Re: Secondary TACACS server

If this is for IOS, just configure a second server (the secondary server) on IOS:

tacacs-server x.x.x.x key xyz

New Member

Re: Secondary TACACS server

Unfortunately I tried that and it doesn't work the way I want it to. I have both the primary and secondary configured and when I stop the primary services it does not fall back to the secondary it just falls to the local. Thanks for the feedback. Any other ideas?

New Member

Re: Secondary TACACS server

Did you set the server groups?

aaa group server tacacs+ {mygroup1}

nn.nn.nn.nn key abcd

nn.nn.nn.nn key defg

then modify the authen/author/acct lines to reflect the group name vs. the default of tacacs+

Steve

Bronze

Re: Secondary TACACS server

You can consider two methods:

The old school one like this -

aaa new-model

aaa authentication login default group tacacs+ local

!

tacacs-server host 10.1.122.11

tacacs-server host 10.2.32.13

tacacs-server key abcdef

or, try a group method like this:

aaa new-model

aaa group server tacacs+ ABCGROUP

server 10.1.1.5

server 10.1.1.13

!

aaa authentication login default group ABCGROUP line

!

tacacs-server host 10.1.1.5

tacacs-server host 10.1.1.13

tacacs-server key abcdef

!

Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.

!

Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.

Here;s another tip:

By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"

!

Let me know how things go.

Cheers

New Member

Re: Secondary TACACS server

It worked with the group method. Thanks for everyone's help.

1702
Views
0
Helpful
5
Replies
CreatePlease to create content