cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1055
Views
10
Helpful
9
Replies
Highlighted

ACS 4.2 " Primary and Secondary"

Dear All,

 

I have two servers and installed on both of them ACS 4.2 , the primary one is configured well and all AAA clients authenticated successfully from it,  also Database replication is working fine between two servers , the issue is when the primary one goes down the AAA clients not authenticated from the secondary one.

 

Here is the configuration on all devices:

aaa new-model
!
!
aaa group server tacacs+ CISCO
 server 192.168.2.100
 server 192.168.2.101
!
aaa authentication login default group CISCO local
aaa authorization exec default group CISCO if-authenticated
!
!
tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY>
!
line vty 0 15

login authentication default

!

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Hi Hassan,

Since you are using the tacacs+ group, no need for the lines below.

tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY> 

 

Another option to make sure that your secondary acs is working fine, you can remove the primary acs from your ACS group definition.

 

HTH

Regards,

Chris

View solution in original post

Highlighted

Key should match from your AAA client and your ACS server. Do you have access with your ACS server? I assume you know where to configure the "key"
 

View solution in original post

9 REPLIES 9
Highlighted
Beginner

Hi Hassan,

Since you are using the tacacs+ group, no need for the lines below.

tacacs-server host 192.168.2.100 timeout 5 key <KEY>
tacacs-server host 192.168.2.101 timeout 5 key <KEY> 

 

Another option to make sure that your secondary acs is working fine, you can remove the primary acs from your ACS group definition.

 

HTH

Regards,

Chris

View solution in original post

Highlighted

Thanks for your reply

 

ok but regarding to the server key , where can i configure it ??

as in ACS server i can't leave the password BLANK

 

 

Highlighted

Key should match from your AAA client and your ACS server. Do you have access with your ACS server? I assume you know where to configure the "key"
 

View solution in original post

Highlighted

i think you missed my point

 

for ACS server i configured password for AAA client <cisco> and on Cisco Switch you said no need for  "tacacs-server host 192.168.2.100 timeout 5 key <cisco>"  so if i delete this line where should i configure the key on AAA Client ? is it inside the group ??

 

 

Highlighted

Yes, the key will be configured inside the group. Add the " ip tacacs source-interface <>" inside the group.

When you do the test, ensure that the secondary is not reachable from the aaa client.

Highlighted

after did what you told me still not working only Primary Server is working and if it's down all AAA clients not trying to authenticate from secondary server, the debug output showing that the AAA client trying to connect to Primary server "192.168.2.100" only, and not trying to connect to Secondary Server "192.168.2.101" here is the new configuration

aaa new-model
!
!
aaa group server tacacs+ CISCO
 server-private 192.168.2.100 key <>
 server-private 192.168.2.101 key <>
!
aaa authentication login default group CISCO line local
aaa authorization exec default group CISCO local if-authenticated
!
line vty 0 15

login authentication default

!
 

 

Debug Output:

2y29w: TPLUS: Queuing AAA Authentication request 223 for processing
2y29w: TPLUS: processing authentication start request id 223
2y29w: TPLUS: Authentication start packet created for 223(user)
2y29w: TPLUS: Using server 192.168.2.100
2y29w: TPLUS(000000DF)/0/NB_WAIT/436B3AC: Started 5 sec timeout
2y29w: TPLUS(000000DF)/0/NB_WAIT: socket event 2
2y29w: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
2y29w: T+: session_id 1070861255 (0x3FD40BC7), dlen 32 (0x20)
2y29w: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
2y29w: T+: svc:LOGIN user_len:6 port_len:4 (0x4) raddr_len:14 (0xE) data_len:0
2y29w: T+: user:  user
2y29w: T+: port:  tty2
2y29w: T+: rem_addr:  192.168.xx.xx
2y29w: T+: data:  
2y29w: T+: End Packet
2y29w: TPLUS(000000DF)/0/NB_WAIT: wrote entire 44 bytes request
2y29w: TPLUS(000000DF)/0/READ: socket event 1
2y29w: TPLUS(000000DF)/0/READ: Would block while reading
2y29w: TPLUS(000000DF)/0/READ/436B3AC: timed out
2y29w: TPLUS: Authentication start packet created for 223(user)
2y29w: TPLUS(000000DF)/0/READ/436B3AC: timed out, clean up
2y29w: TPLUS(000000DF)/0/436B3AC: Processing the reply packet

Highlighted

What is the ACS version you are running? Try to remove the primary server from your tacacs config and see the logs. It should point to the IP of the secondary

Highlighted

Thanks for your help it works now. the issue was with TACACS Password 

Highlighted

i just keep the secondary tacacs server is the group and its work fine , the issue is when the primary one goes down the AAA client not check the second TACACS server in the group