05-10-2015 11:48 PM - edited 03-10-2019 10:43 PM
Dear All,
I have two servers and installed on both of them ACS 4.2 , the primary one is configured well and all AAA clients authenticated successfully from it, also Database replication is working fine between two servers , the issue is when the primary one goes down the AAA clients not authenticated from the secondary one.
Here is the configuration on all devices:
aaa new-model
!
!
aaa group server tacacs+ CISCO
server 192.168.2.100
server 192.168.2.101
!
aaa authentication login default group CISCO local
aaa authorization exec default group CISCO if-authenticated
!
!
tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY>
!
line vty 0 15
login authentication default
!
Solved! Go to Solution.
05-11-2015 07:14 AM
Hi Hassan,
Since you are using the tacacs+ group, no need for the lines below.
tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY>
Another option to make sure that your secondary acs is working fine, you can remove the primary acs from your ACS group definition.
HTH
Regards,
Chris
05-11-2015 07:50 AM
Key should match from your AAA client and your ACS server. Do you have access with your ACS server? I assume you know where to configure the "key"
05-11-2015 07:14 AM
Hi Hassan,
Since you are using the tacacs+ group, no need for the lines below.
tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY>
Another option to make sure that your secondary acs is working fine, you can remove the primary acs from your ACS group definition.
HTH
Regards,
Chris
05-11-2015 07:44 AM
Thanks for your reply
ok but regarding to the server key , where can i configure it ??
as in ACS server i can't leave the password BLANK
05-11-2015 07:50 AM
Key should match from your AAA client and your ACS server. Do you have access with your ACS server? I assume you know where to configure the "key"
05-11-2015 08:20 AM
i think you missed my point
for ACS server i configured password for AAA client <cisco> and on Cisco Switch you said no need for "tacacs-server host 192.168.2.100 timeout 5 key <cisco>" so if i delete this line where should i configure the key on AAA Client ? is it inside the group ??
05-11-2015 03:26 PM
Yes, the key will be configured inside the group. Add the " ip tacacs source-interface <>" inside the group.
When you do the test, ensure that the secondary is not reachable from the aaa client.
05-11-2015 09:47 PM
after did what you told me still not working only Primary Server is working and if it's down all AAA clients not trying to authenticate from secondary server, the debug output showing that the AAA client trying to connect to Primary server "192.168.2.100" only, and not trying to connect to Secondary Server "192.168.2.101" here is the new configuration
aaa new-model
!
!
aaa group server tacacs+ CISCO
server-private 192.168.2.100 key <>
server-private 192.168.2.101 key <>
!
aaa authentication login default group CISCO line local
aaa authorization exec default group CISCO local if-authenticated
!
line vty 0 15
login authentication default
!
Debug Output:
2y29w: TPLUS: Queuing AAA Authentication request 223 for processing
2y29w: TPLUS: processing authentication start request id 223
2y29w: TPLUS: Authentication start packet created for 223(user)
2y29w: TPLUS: Using server 192.168.2.100
2y29w: TPLUS(000000DF)/0/NB_WAIT/436B3AC: Started 5 sec timeout
2y29w: TPLUS(000000DF)/0/NB_WAIT: socket event 2
2y29w: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
2y29w: T+: session_id 1070861255 (0x3FD40BC7), dlen 32 (0x20)
2y29w: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
2y29w: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:14 (0xE) data_len:0
2y29w: T+: user: user
2y29w: T+: port: tty2
2y29w: T+: rem_addr: 192.168.xx.xx
2y29w: T+: data:
2y29w: T+: End Packet
2y29w: TPLUS(000000DF)/0/NB_WAIT: wrote entire 44 bytes request
2y29w: TPLUS(000000DF)/0/READ: socket event 1
2y29w: TPLUS(000000DF)/0/READ: Would block while reading
2y29w: TPLUS(000000DF)/0/READ/436B3AC: timed out
2y29w: TPLUS: Authentication start packet created for 223(user)
2y29w: TPLUS(000000DF)/0/READ/436B3AC: timed out, clean up
2y29w: TPLUS(000000DF)/0/436B3AC: Processing the reply packet
05-12-2015 07:52 AM
What is the ACS version you are running? Try to remove the primary server from your tacacs config and see the logs. It should point to the IP of the secondary
08-02-2015 01:30 AM
Thanks for your help it works now. the issue was with TACACS Password
05-11-2015 10:45 AM
i just keep the secondary tacacs server is the group and its work fine , the issue is when the primary one goes down the AAA client not check the second TACACS server in the group
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: