dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1350
share rss forum feed

krock83

join:2010-03-02

TACACS+ failover

Hello all,

I have tacacs configured on two diffrent servers and the approprite comands on my router. the issue that I found out this morning is that the prmary server went down, so I lost my tacacs authentication... however according to the docuemntation that I followed when this got setup I should have been failed over to the backup server. it didint happen. Does anyone have a suggection?

here is my current configuration

aaa new-model
 
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default
action-type start-stop
group tacacs+
exit
 
int lo640
description primary_tacacs+
ip address <ip address subnetmask>
 
int lo641
description secondary_tatacs+
ip address <ip address subnetmask>
 
ip tacacs source-interface lo640
ip tacacs source-interface lo641
 
tacacs-server host 172.16.0.1
tacacs-server host 172.16.0.5
tacacs-server directed-request
tacacs-server timeout 1
tacacs-server key password!!!!!!!
 
line vty 0 4
login authentication default
exit
 
 

Thanks


phantasm11b
Premium
join:2007-11-02

What version of ACS are you running? Normally I do my ACS configurations in an active/standby pair. You would specify one tacacs source interface and two tacacs servers in the order you want them. If server A fails it would role over to server B. Can you provide an output of 'show tacacs' for us?
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy


ladino

join:2001-02-24
USA
kudos:1

You can use AAA server groups

!
aaa group server tacacs AAA-Server-Group
  server 172.16.0.1
  server 172.16.0.6
!
aaa authentication login default group AAA-Server-Group local
aaa authentication enable default group AAA-Server-Group enable
 

krock83

join:2010-03-02
reply to krock83

Hello

It turned out to be an miss-configuration on the secondary Tacacs Server

Thanks



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to krock83

But ... two source addresses?



Da Geek Kid

join:2003-10-11
::1
kudos:1

yes this works when you have 2 groups monitoring device on diff vrfs... It's a bit tricky and painful but you are right the command above is not the right one.