topic How device select tacacs-server in Network Access Control

How device select tacacs-server

jlucero2424 — Mon, 11 Mar 2019 04:17:59 GMT

Hi Guys,

We have Existing tacacs configuration form our devices and pointed the 2 ACS server. the acs server are manage with other vendor which the acs server is located at their site. Now were planning to manage the acs server. We Installed a new acs server from our location, we have thousand of devices, if we migrate to the new server can we just add the 2 acs server from the device? are the new acs server will able to comunicate from the device? how does a device select which primary or secondary acs server? please advise.

Old config

aaa new-model

aaa authentication login vtymethod group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 0 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

ip tacacs source-interface Loopback0

tacacs-server host 10.x.x.x

New config

aaa new-model

aaa authentication login vtymethod group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated

aaa authorization commands 0 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

ip tacacs source-interface Loopback0

tacacs-server host 10.x.x.x

tacacs-server host 100.x.x.x <-- new

How device select tacacs-server

Amjad Abdullah — Mon, 20 Jan 2014 06:34:57 GMT

Hi,

in your way above the TACACS+ servers will be used in order.

You can group TACACS+ servers together and choose to use servers in that group only:

aaa group server tacacs+ Test

server 10.10.10.10

aaa authentication login vtymethod group Test local

under the vty lines config:

in the above example, only the server in the group Test; which is 10.10.10.10 will be used in authentication.

HTH,

Amjad

Rating useful replies is more useful than saying "Thank you"

How device select tacacs-server

jlucero2424 — Mon, 20 Jan 2014 06:56:57 GMT

Hi Amjad,

Thanks for the resposnse appricate it, so you mean to say it is like a round robin depending on the running conifig of the device which is the first configure tacacs-server host?

The two old acs server will be decommision as soon as the new acs are operational, so grouping it might not be best approach as we dont want to add another configuration on the device as were looking thousand of device.

Thanks,

Jaspher.

How device select tacacs-server

Amjad Abdullah — Mon, 20 Jan 2014 07:11:19 GMT

Hi Jaspher,

No. not round robin.

It will check the first IP. It will only check the next IP if the first one did not reply.

I hope it is clearer now

Rating useful replies is more useful than saying "Thank you"

How device select tacacs-server

jlucero2424 — Mon, 20 Jan 2014 07:39:35 GMT

Hi Amjad,

Thanks for the prompt response. its all clear now, we will just ad the new servers from the config and when it is operational and ready for deployment, will remove the old acs server configured from the device.

How device select tacacs-server

Amjad Abdullah — Mon, 20 Jan 2014 08:11:10 GMT

Thanks Jaspher,

appreciate marking the thread as "answered".

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"