topic Authentication problem with second TACACs server ACS on switch in Network Access Control

Authentication problem with second TACACs server ACS on switch

soporte spconnet — Fri, 21 Feb 2020 18:48:43 GMT

Actually I have an ACS appliance (version 5.3) in production in my network and I going to replace it for a virtual machine in the version 5.8.1.

The switches have a config like this:

aaa new-model
!
aaa group server tacacs+ tacacs2
server 192.168.1.240
!
aaa authentication login default group tacacs2 local
aaa authentication login con local
aaa authorization config-commands
aaa authorization exec default group tacacs2 local
aaa authorization exec con none
aaa authorization commands 1 default group tacacs2 local
aaa authorization commands 15 default group tacacs2 local
aaa accounting commands 1 default start-stop group tacacs2
aaa accounting commands 5 default start-stop group tacacs2
aaa accounting commands 15 default start-stop group tacacs2

tacacs-server host 192.168.1.240 key 7 094D4D1A0A561D405B5D56393C
tacacs-server directed-request
!

Now, actually the second server is ready for to be added to the Network, and before to remove the old ACS I thought to add the new ACS to the aaa group server:

tacacs-server host 192.168.11.100 key <key>

aaa group server tacacs+ tacacs2

server 192.168.11.100

But, how both ACS's are independent servers (stand alone) when I try to test the users this is the output:

SW#test aaa group tacacs2 user password 2017 legacy !this user was created in the old server
Attempting authentication test to server-group tacacs-sej using tacacs+
User was successfully authenticated.

SW#test aaa group tacacs2 user2 password legacy ! this user was created in the second server
Attempting authentication test to server-group tacacs-sej using tacacs+
User authentication request was rejected by server.

I think that the requests of the conection are just taken by the old server, because the second server doesn't have any request and don't show any data in the reports.

I would like to know if there is a configuration in the switch for both servers, maybe configure two aaa group server and new aaa method list for the new group.

I'll apreciate your comments, Ana.

Re: Authentication problem with second TACACs server ACS on switch

johnd2310 — Wed, 14 Mar 2018 01:35:18 GMT

Are you not able to specify the server to test against in your test aaa command?

test aaa group tacacs2 server 192.168.1.240 user password legacy

test aaa group tacacs2 server 192.168.11.100 user2 password legacy

Thanks

John

Re: Authentication problem with second TACACs server ACS on switch

EduardR — Wed, 14 Mar 2018 14:09:33 GMT

I think the best approach is to configure 2 server groups and change the authentication order... we got something like this working fine:

aaa new-model
ip tacacs source-interface VlanXXXX

tacacs server ACS1
 address ipv4 1.1.1.1
 key Key1
tacacs server ACS2
 address ipv4 2.2.2.2
 key Key2

aaa group server tacacs+ GROUP1
 server name ACS1
aaa group server tacacs+ GROUP2
 server name ACS2

aaa authentication login default group GROUP1 group GROUP2 local enable
aaa authorization exec default group GROUP1 group GROUP2 local if-authenticated
aaa authorization commands 15 default group GROUP1 group GROUP2 local if-authenticated

aaa accounting commands 15 default stop-only group GROUP1 group GROUP2
aaa accounting exec default start-stop group GROUP1 group GROUP2
aaa accounting connection default start-stop group GROUP1 group GROUP2
aaa accounting send stop-record authentication failure
aaa accounting update newinfo

You can change the Auth* order by changing the position of GROUP1 and GROUP2 in the aaa sentences.

PD: Even, we got something with 2 ACS and 2 ISE working togheter, one as fallback from the other, and it works flawlessly.