Cisco Support Community
Community Member

No dead-timer feature for TACACS servers in IOS?


I've recently setup multiple ACS 5.1 boxes with the primary/secondary replication for redundancy.

I was thinking to use this for redundant RADIUS services (point wireless controllers etc. towards multiple ACS-instances, and let RADIUS monitoring dead-timers figure out which servers to use, in case of a failure). For RADIUS this works perfect.

For TACACS, I have tried with a server-group:

tacacs-server host ACS1 single-connection key MYKEY

tacacs-server host ACS2 single-connection key MYKEY


aaa group server tacacs TACACS

server ACS1

server ACS2


aaa username localadmin password MYPW

aaa authentication login default group TACACS local

[aaa authorization lines for each priv level also setup with fallback to local]

I have 2 issues with this:

My thought was that if one TACACS server fails, the IOS-units would use the next server in the server-group, but what happens is that after ACS1 times out, my login-prompt only accepts the localadmin account.

Also - If i shutdown ACS1 WHILE being logged in, the authorization correctly falls back to ACS2, BUT only after trying ACS1 on every command entered. I can't seem to fin any dead-time feature on TACACS, which would solve this issue.

Anyone got a best-practise take on redundant ACS-servers for TACACS? Can't seem to find any on CCO.



Everyone's tags (5)
CreatePlease to create content