topic Re: Using two tacacs+ servers in Network Access Control

Using two tacacs+ servers

COLIN — Tue, 20 Jul 2021 17:39:57 GMT

On the same switch is it possible to configure that one user from a source authenticates to a tacacs+ server and then another user from another source authenticates to a different tacacs+ server, that is for each user an authentication/authorization request to different TACACS+ servers all together. the ACL on vty 0 4 would deny the first and then the ssh request would go to vty 5 9.

!
aaa new-model
!
aaa group server tacacs+ TACACS-AUTH-1
server-private 1.1.1.1 key 7 <removed>
server-private 1.1.1.2 key 7 <removed>
tacacs-server directed-request
tacacs-server attribute allow unknown
default tacacs-server timeout
!
aaa authentication login default group TACACS-AUTH-1 local
aaa authorization exec default group TACACS-AUTH-1 local
!
aaa authentication enable default group TACACS-AUTH-1 enable
aaa authorization console
aaa authorization config-commands
aaa authorization commands 1 default group TACACS-AUTH-1 local
aaa authorization commands 15 default group TACACS-AUTH-1 local
aaa accounting exec default start-stop group TACACS-AUTH-1
aaa accounting commands 1 default start-stop group TACACS-AUTH-1
aaa accounting commands 15 default start-stop group TACACS-AUTH-1
aaa accounting connection default start-stop group TACACS-AUTH-1
aaa accounting system default start-stop group TACACS-AUTH-1
!
access-list 111 remark VTY0-4 TACACS-AUTH-1
access-list 111 permit tcp host 1.1.1.1 any eq 22
access-list 111 permit tcp host 1.1.1.2 any eq 22
access-list 111 remark deny any other
access-list 111 deny ip any any log
!
!
aaa group server tacacs+ TACACS-AUTH-2
server-private 2.2.2.1 key 7 <removed>
server-private 2.2.2.2 key 7 <removed>
tacacs-server directed-request
tacacs-server attribute allow unknown
default tacacs-server timeout
!
aaa authentication login ANother group TACACS-AUTH-2 local
aaa authorization exec ANother group TACACS-AUTH-2 local
!
aaa authentication enable ANother group TACACS-AUTH-2 enable
aaa authorization console
aaa authorization config-commands
aaa authorization commands 1 ANother group TACACS-AUTH-2 local
aaa authorization commands 15 ANother group TACACS-AUTH-2 local
aaa accounting exec ANother start-stop group TACACS-AUTH-2
aaa accounting commands 1 ANother start-stop group TACACS-AUTH-2
aaa accounting commands 15 ANother start-stop group TACACS-AUTH-2
aaa accounting connection ANother start-stop group TACACS-AUTH-2
aaa accounting system ANother start-stop group TACACS-AUTH-2
!
access-list 222 remark VTY5-9 TACACS-AUTH-2
access-list 222 permit tcp host 2.2.2.1 any eq 22
access-list 222 permit tcp host 2.2.2.2 any eq 22
access-list 222 remark deny any other
access-list 222 deny ip any any log
!
!
line vty 0 4
login authentication default
access-class 111 in
!
line vty 5 9
login authentication ANother
access-class 222 in
!

Thank you in advance for any comments on this configuration

Re: Using two tacacs+ servers

Arne Bier — Thu, 22 Jul 2021 05:47:07 GMT

Interesting question. I don't know if that would work - did you test your config?

I expect that the VTY would process the TCP connections as they come in - i.e. VTY0 is used if there are no other sessions in use. And that means that user is going to get processed by VTY0 config.

I thought that perhaps there was something with named authentication/authorization lists - but the same logic applies - there doesn't seem to be any conditional logic in IOS to direct the VTY logins to a named list.

aaa authentication login VTY_authen group dnac-network-radius-group local
aaa authorization exec VTY_author group dnac-network-radius-group local if-authe

line vty 0 4
 authorization exec VTY_author
 login authentication VTY_authen
 transport preferred none
 transport input all

Re: Using two tacacs+ servers

COLIN — Thu, 22 Jul 2021 08:41:16 GMT

Hi Arne, thank you and all others for reply's,

What about if the ssh session used another port number, then that would go to the specified vty, thereby bypassing vty 0 4 ?

Best Regards

Re: Using two tacacs+ servers

Arne Bier — Thu, 22 Jul 2021 22:08:31 GMT

Hi @COLIN

May I ask, what is the problem you're trying to solve? I could imagine that perhaps you have two completely independent TACACS+ servers that don't contain the same user information and hence, you need to send the request to a specific server based on where the request is coming from.

I don't believe it's possible to make the IOS intelligent enough based on source IP address. You don't have any control over the the vty session number selection - it's first come, first served.

I had a look through the IOS EEM (Embedded Event Manager) and there doesn't seem to be a section for vty events - the "identity" events assume that authentication has been performed - which is a bit too late. EEM might have been the perfect solution.

Re: Using two tacacs+ servers

COLIN — Fri, 23 Jul 2021 06:42:44 GMT

Hi Arne,

Your understanding is spot on, and I think I have to accept that this action of authentication is not achievable in the way I have to do it.

Many thanks for your response been very useful.

Re: Using two tacacs+ servers

Amine ZAKARIA — Thu, 29 Jul 2021 19:11:41 GMT

Hello,

Lets say we have 10.99.0.0/24 and 10.86.0.0/24, does the users of 10.99.x.x will always access equipements through TACACS1, and the 10.86.x.x always through TACACS2 ? Are you using ISE for both servers ?

Regards!