Solved: AAA server group doesn't work

mrashby · ‎04-05-2005

All,

I have a aaa server group set up on my router to use for well, AAA but it doesn't work so but when I just specify one server and not the group list everything works. Any ideas as to why this is. I will pos the config.

*****************************************************

version 12.2

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname BIZNESS

!

aaa new-model

aaa group server tacacs+ TACSLOG

server 192.x.x.x

!

aaa authentication login default group TACSLOG local

aaa authorization exec default group TACSLOG local

aaa accounting exec default start-stop group TACSLOG

aaa accounting commands 5 default start-stop group TACSLOG

aaa accounting commands 15 default start-stop group TACSLOG

enable password xxx

!

username xxx password xxx

username xxx privilege 15

username xxx autocommand menu ADMIN1

ip subnet-zero

!

ip domain-name SBA.GOV

!

call rsvp-sync

!

interface FastEthernet0/0

ip address 192.x.x.x 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

ip classless

no ip http server

!

menu ADMIN1 prompt ^CSELECT AN OPTION PUNK^C

menu ADMIN1 text 1 SHO IP INTERFACE BRIEF

menu ADMIN1 command 1 SHOW IP INTERFACE BRIEF

menu ADMIN1 text 2 SHOW INTERFACE FA0/0

menu ADMIN1 command 2 SHO INT FA0/0

menu ADMIN1 text 3 SHOW RUN INTERFACE FA0/0

menu ADMIN1 command 3 SHOW RUN INT FA0/0

menu ADMIN1 text 4 SHOW ARP

menu ADMIN1 command 4 SHOW ARP

menu ADMIN1 text 5 EXIT

menu ADMIN1 command 5 LOGOUT

!

dial-peer cor custom

!

privilege exec level 5 show ip interface brief

privilege exec level 5 show interface fa0/0

privilege exec level 5 show show run interface fa0/0

privilege exec level 5 show show arp

!

line con 0

line aux 0

line vty 0 4

password xxx

!

end

sstudsdahl · ‎04-06-2005

When you define a AAA server group, you associate a server IP to the group name. You still must define the AAA server separately where you also setup the key that is used. In your case, you need to add to your configuration:

tacacs-server host 192.x.x.x key somekey

HTH

Steve

View solution in original post

akemp · ‎04-06-2005

How about trying this? It cleans up things a bit with two groups that are queried at the same time (Theres a 12.2 bug where the first listed device doesn't respond it won't use the second), and the device that authenticated will keep a single session.

aaa new-model

aaa group server tacacs+ T1

aaa group server tacacs+ T2

aaa authentication login default group T1 group T2 line

aaa authentication enable default group T1 group T2 enable

aaa authorization config-commands

aaa authorization exec default group T1 group T2 none

aaa authorization commands 15 default group T1 group T2 none

aaa accounting exec default start-stop group T1 group T2

aaa accounting commands 15 default start-stop group T1 group T2

aaa accounting connection default start-stop group T1 group T2

aaa accounting system default start-stop group T1 group T2

aaa session-id common

!

aaa group server tacacs+ T1 (12.2.9a bug fix suggestion doesn't impact timing)

server {ip address}

!

aaa group server tacacs+ T2 (12.2.9a bug fix suggestion dosnt impact timing)

server {ip address}

!

tacacs-server host {ip address} single-connection key {add key}

tacacs-server retransmit 2

tacacs-server attempts 2

tacacs-server timeout 10

no tacacs-server directed-request

sstudsdahl · ‎04-06-2005

When you define a AAA server group, you associate a server IP to the group name. You still must define the AAA server separately where you also setup the key that is used. In your case, you need to add to your configuration:

tacacs-server host 192.x.x.x key somekey

HTH

Steve