republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Equipment Support > Hardware By Brand > Cisco > TACACS+ failover

Search Topic:
 Uniqs:
662		 Share Topic
Posting?
Post a:
Post a:
Links: ·Submit a new forum topic ·Forum FAQ ·Submit a FAQ ·Docs Guidelines and Advisories ·EOS/EOL thread
AuthorAll Replies

krock83

join:2010-03-02

TACACS+ failover

Hello all,

I have tacacs configured on two diffrent servers and the approprite comands on my router. the issue that I found out this morning is that the prmary server went down, so I lost my tacacs authentication... however according to the docuemntation that I followed when this got setup I should have been failed over to the backup server. it didint happen. Does anyone have a suggection?

here is my current configuration

aaa new-model
 
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default
action-type start-stop
group tacacs+
exit
 
int lo640
description primary_tacacs+
ip address <ip address subnetmask>
 
int lo641
description secondary_tatacs+
ip address <ip address subnetmask>
 
ip tacacs source-interface lo640
ip tacacs source-interface lo641
 
tacacs-server host 172.16.0.1
tacacs-server host 172.16.0.5
tacacs-server directed-request
tacacs-server timeout 1
tacacs-server key password!!!!!!!
 
line vty 0 4
login authentication default
exit

Thanks
to forum · permalink · 2012-12-10 16:50:54 ·


phantasm11b
Premium
join:2007-11-02

What version of ACS are you running? Normally I do my ACS configurations in an active/standby pair. You would specify one tacacs source interface and two tacacs servers in the order you want them. If server A fails it would role over to server B. Can you provide an output of 'show tacacs' for us?
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy

to forum · permalink · 2012-12-13 11:24:29 ·

ladino

join:2001-02-24
USA

You can use AAA server groups

!
aaa group server tacacs AAA-Server-Group
  server 172.16.0.1
  server 172.16.0.6
!
aaa authentication login default group AAA-Server-Group local
aaa authentication enable default group AAA-Server-Group enable
to forum · permalink · 2012-12-13 12:11:32 ·

krock83

join:2010-03-02

reply to krock83
Hello

It turned out to be an miss-configuration on the secondary Tacacs Server

Thanks

to forum · permalink · 2012-12-13 13:21:03 ·


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:4

reply to krock83
But ... two source addresses?

to forum · permalink · 2012-12-26 05:03:26 ·


Da Geek Kid

join:2003-10-11
::1
kudos:1

yes this works when you have 2 groups monitoring device on diff vrfs... It's a bit tricky and painful but you are right the command above is not the right one.

to forum · permalink · 2013-01-06 21:33:00 ·
Forums > Equipment Support > Hardware By Brand > Cisco

Thursday, 23-May 18:42:32 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 13.5 years online © 1999-2013 dslreports.com.
Most commented news this week
Hot Topics