https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308633#M434798 <HTML><HEAD></HEAD><BODY><P>You can consider two methods: </P><P></P><P>The old school one like this -</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>!</P><P>tacacs-server host 10.1.122.11</P><P>tacacs-server host 10.2.32.13</P><P>tacacs-server key abcdef</P><P></P><P>or, try a group method like this:</P><P></P><P>aaa new-model</P><P>aaa group server tacacs+ ABCGROUP</P><P> server 10.1.1.5</P><P> server 10.1.1.13</P><P>!</P><P>aaa authentication login default group ABCGROUP line</P><P>!</P><P>tacacs-server host 10.1.1.5</P><P>tacacs-server host 10.1.1.13</P><P>tacacs-server key abcdef</P><P>!</P><P></P><P>Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.</P><P>!</P><P>Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.</P><P></P><P>Here;s another tip: </P><P></P><P>By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"</P><P>!</P><P>Let me know how things go.</P><P></P><P>Cheers</P></BODY></HTML> Sun, 29 Feb 2004 19:54:19 GMT pvanvuuren 2004-02-29T19:54:19Z https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308629#M434794 <P>I need some assistance on configuring a secondary TACACS server. I have a primary and secondary server. I would like AAA requests send to the secondary server whenever the primary is either down or the service on the primary has stopped. Any ideas?</P> Sun, 10 Mar 2019 14:40:55 GMT https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308629#M434794 ttran01 2019-03-10T14:40:55Z https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308630#M434795 <HTML><HEAD></HEAD><BODY><P>If this is for IOS, just configure a second server (the secondary server) on IOS:</P><P></P><P>tacacs-server x.x.x.x key xyz</P><P></P></BODY></HTML> Tue, 24 Feb 2004 22:03:08 GMT https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308630#M434795 jhillend 2004-02-24T22:03:08Z https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308631#M434796 <HTML><HEAD></HEAD><BODY><P>Unfortunately I tried that and it doesn't work the way I want it to. I have both the primary and secondary configured and when I stop the primary services it does not fall back to the secondary it just falls to the local. Thanks for the feedback. Any other ideas?</P></BODY></HTML> Tue, 24 Feb 2004 22:42:28 GMT https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308631#M434796 ttran01 2004-02-24T22:42:28Z https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308632#M434797 <HTML><HEAD></HEAD><BODY><P>Did you set the server groups?</P><P></P><P>aaa group server tacacs+ {mygroup1}</P><P> nn.nn.nn.nn key abcd</P><P> nn.nn.nn.nn key defg</P><P></P><P>then modify the authen/author/acct lines to reflect the group name vs. the default of tacacs+</P><P></P><P>Steve</P></BODY></HTML> Sat, 28 Feb 2004 23:43:08 GMT https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308632#M434797 pigotts 2004-02-28T23:43:08Z https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308633#M434798 <HTML><HEAD></HEAD><BODY><P>You can consider two methods: </P><P></P><P>The old school one like this -</P><P></P><P>aaa new-model</P><P>aaa authentication login default group tacacs+ local</P><P>!</P><P>tacacs-server host 10.1.122.11</P><P>tacacs-server host 10.2.32.13</P><P>tacacs-server key abcdef</P><P></P><P>or, try a group method like this:</P><P></P><P>aaa new-model</P><P>aaa group server tacacs+ ABCGROUP</P><P> server 10.1.1.5</P><P> server 10.1.1.13</P><P>!</P><P>aaa authentication login default group ABCGROUP line</P><P>!</P><P>tacacs-server host 10.1.1.5</P><P>tacacs-server host 10.1.1.13</P><P>tacacs-server key abcdef</P><P>!</P><P></P><P>Because the shared key (secret) cannot be configured in the group config you must define those tacacs servers again at the end of the config.</P><P>!</P><P>Make sure you have connectivity to both before testing. Stop the service on your primary ACS and keep an eye on the reports to see the passed and failed authentications.</P><P></P><P>Here;s another tip: </P><P></P><P>By making the fall-back authentication "line" you can immediatly distinguish between a Tacacs Login and line Login. Tacacs will show: "Username:" and Line will prompt "Password:"</P><P>!</P><P>Let me know how things go.</P><P></P><P>Cheers</P></BODY></HTML> Sun, 29 Feb 2004 19:54:19 GMT https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308633#M434798 pvanvuuren 2004-02-29T19:54:19Z https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308634#M434799 <HTML><HEAD></HEAD><BODY><P>It worked with the group method. Thanks for everyone's help.</P></BODY></HTML> Mon, 01 Mar 2004 20:41:17 GMT https://community.cisco.com/t5/network-access-control/secondary-tacacs-server/m-p/308634#M434799 ttran01 2004-03-01T20:41:17Z