01-12-2009 06:49 AM - edited 03-10-2019 04:16 PM
IOS version c3640-a3jk9s-mz.123-18.bin
aaa group server tacacs+ cciesec
server 192.168.3.10
!
aaa group server tacacs+ ccievoice
server 192.168.3.11
aaa authentication login VTY group cciesec local
aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice
aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice
aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice
aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice
tacacs-server host 192.168.3.10 key 123456
tacacs-server host 192.168.3.11 key 123456
C3640#sh tacacs
Tacacs+ Server : 192.168.3.10/49
Socket opens: 8
Socket closes: 8
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 21
Total Packets Recv: 21
Tacacs+ Server : 192.168.3.11/49
Socket opens: 0
Socket closes: 0
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
C3640#
As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with
tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.
Anyone know why?
01-12-2009 11:14 AM
David
I have not tested this and do not have authoritative knowledge of it. But usually when you configure multiple parameters in a method list they are used as backups for each other. So the second group would typically be used only if attempts to use the first group failed. The behavior that you describe is consistent with this, so I assume that this may be the explanation.
HTH
Rick
01-12-2009 11:41 AM
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html
It stated the following:
"Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications."
01-12-2009 12:15 PM
David
This appears to be an interesting feature and one I was not familiar with.
If you change the order of groups in the accounting command and put ccievoice before cciesec do the accounting records start going to the .11 server?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide