Solved: How to use 2 AAA server for different login purpose

JENS PETER POULSEN · ‎10-19-2007

Hello, could you help me?

This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.

The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.

! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin

!

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login no_tacacs enable

aaa authentication ppp default group tacacs+

aaa authorization exec default group tacacs+

aaa authorization network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

virtual-profile virtual-template 1

virtual-profile aaa

!

interface Serial2/0:15

description ISDN30

no ip address

encapsulation ppp

no ip route-cache

no keepalive

dialer pool-member 10

isdn switch-type primary-net5

isdn tei-negotiation first-call

isdn caller xxxxxxx

no fair-queue

compress stac

no cdp enable

ppp authentication chap

ppp multilink

!

interface Virtual-Template1

ip unnumbered FastEthernet1/0

ip nat outside

ppp authentication chap

!

tacacs-server host 10.20.30.40 key ********

!

line con 0

exec-timeout 20 0

password ************

login authentication no_tacacs

transport input none

flowcontrol hardware

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 60 0

password *************

login authentication no_tacacs

transport input telnet

transport output telnet

If I just add

aaa authentication login vtymethod group tacacs+ enable

tacacs-server host 10.50.60.70 key ********

line vty 0 4

login authentication vtymethod

My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?

Thanks

Richard Burts · ‎10-19-2007

Jens

I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:

aaa group server tacacs+ vty_TAC

server 10.50.60.70

aaa authentication login vtymethod group vty_TAC enable

tacacs-server host 10.50.60.70 key ********

I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.

Give it a try and let us know what happens.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎10-19-2007

Jens

I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:

aaa group server tacacs+ vty_TAC

server 10.50.60.70

aaa authentication login vtymethod group vty_TAC enable

tacacs-server host 10.50.60.70 key ********

I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.

Give it a try and let us know what happens.

HTH

Rick

HTH

Rick