topic Re: Using multiple AAA servers in Network Access Control

Using multiple AAA servers

dkrijgsman — Sun, 10 Mar 2019 21:57:06 GMT

Is it possible to direct aaa authentication/authorization for my "auth-proxy" function to one TACACS server and send all other authentication/authorization requests to a different TACACS+ server?

Re: Using multiple AAA servers

dominic.caron — Mon, 29 Jan 2007 20:35:30 GMT

Yes

You must first define each server.

After Create 2 server group

aaa group server tacacs tac1

server x.x.x.x (server1)

aaa group server tacacs tac2

server x.x.x.x (server2)

Then use those server group in your aaa method list insted of the keyword Tacacs.

Re: Using multiple AAA servers

dkrijgsman — Tue, 30 Jan 2007 10:06:12 GMT

Hi dominic,

Thnx for responding. I was already testing with AAA server groups, however I can't seem to get it right. I've tried the folowing:

aaa group server tacacs+ proxy-test

server 212.84.0.19

aaa authentication login default group tacacs+ local

aaa authentication login auth-proxy group proxy-test

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default if-needed group tacacs+ none

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization auth-proxy default group proxy-test

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

ip auth-proxy inactivity-timer 10

ip auth-proxy name proxy-test http

Interface X

ip auth-proxy proxy-test

tacacs-server host x.x.x.x key x

tacacs-server host y.y.y.y key y

It seems the authentication/authorization for is always directed at the "default" list of methods. Auth-proxy on the same tacacs server is no problem and works fine.

Re: Using multiple AAA servers

dkrijgsman — Tue, 30 Jan 2007 10:39:18 GMT

double post

Re: Using multiple AAA servers

tsafwat — Tue, 30 Jan 2007 14:16:00 GMT

How can I configure a secondry ACS server on Pix ?

Re: Using multiple AAA servers

dominic.caron — Tue, 30 Jan 2007 15:35:25 GMT

Turn the problem upside down...

I bet your using tacacs+ default method for vty(telnet or ssh) access to the router. You can specify an aaa method for the vty,con and aux line interface on your router. Use the default for your auth-proxy and a named mothod for the administration.

Re: Using multiple AAA servers

dkrijgsman — Tue, 30 Jan 2007 15:47:33 GMT

Okay, after some testing i have an initial and working setup:

aaa group server tacacs+ proxy

server x.x.x.x

aaa authentication login default group proxy

aaa authentication login maintenance group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp maintenance if-needed group tacacs+ none

aaa authorization exec maintenance group tacacs+ local

aaa authorization network maintenance group tacacs+ local

aaa authorization auth-proxy default group proxy

aaa accounting exec maintenance start-stop group tacacs+

aaa accounting commands 0 maintenance start-stop group tacacs+

aaa accounting commands 15 maintenance start-stop group tacacs+

aaa accounting network maintenance start-stop group tacacs+

aaa accounting connection maintenance start-stop group tacacs+

ip auth-proxy inactivity-timer 10

ip auth-proxy name proxy-test http

Interface X

ip auth-proxy proxy-test

tacacs-server host x.x.x.x key x

tacacs-server host y.y.y.y key y

line 0 15

line con 0

What i saw in the AAA debugs during an auth-proxy requestis that the "AAA authentication default" method list is always requested. I want to be able to create a named method list for this feature, but i'm not sure if i'll get it working. For now this will do.

Re: Using multiple AAA servers

dominic.caron — Tue, 30 Jan 2007 15:48:11 GMT

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host 1.1.1.1

aaa-server TACACS+ host 2.2.2.2

This is usualy simple. If you need to load-balance on the two server, you need a CSS or something like that. Tacacs is generaly easy to loadbalance, radius is another story(udp). Since UDP is not connection oriented, you must rely on connection timeout.

Re: Using multiple AAA servers

dkrijgsman — Tue, 30 Jan 2007 15:51:24 GMT

Hi dominic,

🙂 As you can see, I've just come to the same conclusion.

It is possible to use a named method list for the auth-proxy? If it's not i'll leave it with this setup.

Thnx many times

Re: Using multiple AAA servers

dominic.caron — Tue, 30 Jan 2007 16:01:58 GMT

I think auth-proxy is tied to the http server implementation. This is a guess but you could try to change the http server aaa method...

ip http authentication aaa login-authentication (method)

Sorry, cant test this on my prod network 😞

Re: Using multiple AAA servers

dkrijgsman — Wed, 31 Jan 2007 10:10:47 GMT

Dominic,

When I specify a named method for example: "ip http authentication aaa login-authentication test" the auth-proxy function still requests the default method list.

So if i'm going to implement this feature it seems i'll have to leave the default method list for auth-proxy functions.....