12-16-2008 08:40 AM - edited 03-10-2019 04:14 PM
I would like to use 2 different Tacacs Servers with 2 different keys on an AS5300. I can see that I can add as many Tacacs-servers as I want to a config but I seem to only be able to add in 1 key. Both Tacacs Servers are owned by 2 different 3rd party companies. Is it possible or can you only add 1 key to the router config?
Regards
Mary
Solved! Go to Solution.
12-16-2008 09:40 AM
Depend on version of IOS you use. With IOS
12.3 and higher, you can use different tacacs
keys as seen below on the 3640:
C3640#sh run | i tacacs-server
tacacs-server host 192.168.15.208 key 123456
tacacs-server host 192.168.3.10 key 12345678
tacacs-server directed-request
C3640#
12-16-2008 09:40 AM
Depend on version of IOS you use. With IOS
12.3 and higher, you can use different tacacs
keys as seen below on the 3640:
C3640#sh run | i tacacs-server
tacacs-server host 192.168.15.208 key 123456
tacacs-server host 192.168.3.10 key 12345678
tacacs-server directed-request
C3640#
12-17-2008 06:21 AM
Hiya
Yes this does indeed work but I only want certain subnets to use tacacs server 1 and other subnets to use tacacs server 2 - I can't see a way of splitting this down on the IOS.
Regards
Mary
12-17-2008 07:06 AM
I think you could create two different AAA groups. Each will query both TACACS servers, obviously failing on one but it should successful on the other and visa-versa. Actually one group should work, but you might want to split them up for clarification.
12-17-2008 07:41 AM
Is this something you've tried and it works
for you?
You can create multiple AAA groups on the
routers for multiple AAA groups but you can
only use them for AAA accounting purposes.
You can not use them for AAA authentication
purposes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide