03-13-2018 04:54 PM - edited 02-21-2020 10:48 AM
Actually I have an ACS appliance (version 5.3) in production in my network and I going to replace it for a virtual machine in the version 5.8.1.
The switches have a config like this:
aaa new-model
!
aaa group server tacacs+ tacacs2
server 192.168.1.240
!
aaa authentication login default group tacacs2 local
aaa authentication login con local
aaa authorization config-commands
aaa authorization exec default group tacacs2 local
aaa authorization exec con none
aaa authorization commands 1 default group tacacs2 local
aaa authorization commands 15 default group tacacs2 local
aaa accounting commands 1 default start-stop group tacacs2
aaa accounting commands 5 default start-stop group tacacs2
aaa accounting commands 15 default start-stop group tacacs2
tacacs-server host 192.168.1.240 key 7 094D4D1A0A561D405B5D56393C
tacacs-server directed-request
!
Now, actually the second server is ready for to be added to the Network, and before to remove the old ACS I thought to add the new ACS to the aaa group server:
tacacs-server host 192.168.11.100 key <key>
aaa group server tacacs+ tacacs2
server 192.168.11.100
But, how both ACS's are independent servers (stand alone) when I try to test the users this is the output:
SW#test aaa group tacacs2 user password 2017 legacy !this user was created in the old server
Attempting authentication test to server-group tacacs-sej using tacacs+
User was successfully authenticated.
SW#test aaa group tacacs2 user2 password legacy ! this user was created in the second server
Attempting authentication test to server-group tacacs-sej using tacacs+
User authentication request was rejected by server.
I think that the requests of the conection are just taken by the old server, because the second server doesn't have any request and don't show any data in the reports.
I would like to know if there is a configuration in the switch for both servers, maybe configure two aaa group server and new aaa method list for the new group.
I'll apreciate your comments, Ana.
03-13-2018 06:35 PM
Hi
Are you not able to specify the server to test against in your test aaa command?
test aaa group tacacs2 server 192.168.1.240 user password legacy
test aaa group tacacs2 server 192.168.11.100 user2 password legacy
Thanks
John
03-14-2018 07:09 AM
I think the best approach is to configure 2 server groups and change the authentication order... we got something like this working fine:
aaa new-model ip tacacs source-interface VlanXXXX tacacs server ACS1 address ipv4 1.1.1.1 key Key1 tacacs server ACS2 address ipv4 2.2.2.2 key Key2 aaa group server tacacs+ GROUP1 server name ACS1 aaa group server tacacs+ GROUP2 server name ACS2 aaa authentication login default group GROUP1 group GROUP2 local enable aaa authorization exec default group GROUP1 group GROUP2 local if-authenticated aaa authorization commands 15 default group GROUP1 group GROUP2 local if-authenticated aaa accounting commands 15 default stop-only group GROUP1 group GROUP2 aaa accounting exec default start-stop group GROUP1 group GROUP2 aaa accounting connection default start-stop group GROUP1 group GROUP2 aaa accounting send stop-record authentication failure aaa accounting update newinfo
You can change the Auth* order by changing the position of GROUP1 and GROUP2 in the aaa sentences.
PD: Even, we got something with 2 ACS and 2 ISE working togheter, one as fallback from the other, and it works flawlessly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide