Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

two tacscs server

When I use two tacacs-server, the tacacs dosn't take the secondary tacacs-server. When one of the tacscs servers are down, the router takes always the first.

Image:

c3640-ik9s-mz.124-5a.bin

Config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default none

aaa authorization exec default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

tacacs-server host 1.1.1.1

tacacs-server host 2.2.2.2

Who can help me?

  • AAA Identity and NAC
3 REPLIES
Hall of Fame Super Silver

Re: two tacscs server

Juergen

I am not sure that I fully understand your question. When you say: when one of the tacscs servers are down, the router takes always the first, are you saying that if the first server is down that it does not authenticate with the second server?

Can you verify that there is successful connectivity from the router to the second server?

Can you tell whether requests from the router get to the second server? One way to determine this is to look in the logs of the server - especially in the failed attempts report.

Can you verify that the second server has a correct definition of the router (including the correct key)?

HTH

Rick

New Member

Re: two tacscs server

Hy,

thank you for answering!

To the first question, that is correctly.

To the second question, when I use the second taccacs server as the first in the router config it functionally.

To the third statement, when I make a tacacs debug on the router, the router try only to connect the first server. So the second tacacs server has no log

Sooo, what can I do?

Hall of Fame Super Silver

Re: two tacscs server

Juergen

If you have run debug it would be helpful to see that output. Can you post that output? (If you are reluctant to post the debug output for some reason you could email it to me - my address is in my profile)

It is helpful to know that if the second server is defined first that it works. This answers very well the questions about connectivity, about proper configuration, etc. If the request got to the server it should work.

It may also be helpful to clarify the failure mode. When you say the server is down, can we be more specific: is the server shut down, network connection unplugged, is the service stopped, is some process within the service stopped? I have recently encountered a situation which may be very similar. I do not know if your issue is the same. We have routers with 2 servers configured and usually the redundancy works fine. But we encountered a situation where a process within the TACACS service was stopped. The IOS sends an authentication transaction to TACACS and TACACS sends an error response (AUTH server not available) and IOS does not go to the second server. This seems to be the behavior in 12.3 but not in earlier code. We are still looking for a workaround. If we find one I will post it.

HTH

Rick

166
Views
0
Helpful
3
Replies