Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
0
Helpful
3
Replies

two tacscs server

jbolmbvag
Level 1
Level 1

‎02-16-2006 02:57 AM - edited ‎03-10-2019 02:28 PM

When I use two tacacs-server, the tacacs dosn't take the secondary tacacs-server. When one of the tacscs servers are down, the router takes always the first.

Image:

c3640-ik9s-mz.124-5a.bin

Config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default none

aaa authorization exec default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

tacacs-server host 1.1.1.1

tacacs-server host 2.2.2.2

Who can help me?

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎02-16-2006 11:31 AM

Juergen

I am not sure that I fully understand your question. When you say: when one of the tacscs servers are down, the router takes always the first, are you saying that if the first server is down that it does not authenticate with the second server?

Can you verify that there is successful connectivity from the router to the second server?

Can you tell whether requests from the router get to the second server? One way to determine this is to look in the logs of the server - especially in the failed attempts report.

Can you verify that the second server has a correct definition of the router (including the correct key)?

HTH

Rick

HTH

Rick
0 Helpful

jbolmbvag
Level 1
Level 1
In response to Richard Burts

‎02-17-2006 02:14 AM

Hy,

thank you for answering!

To the first question, that is correctly.

To the second question, when I use the second taccacs server as the first in the router config it functionally.

To the third statement, when I make a tacacs debug on the router, the router try only to connect the first server. So the second tacacs server has no log

Sooo, what can I do?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to jbolmbvag

‎02-17-2006 03:01 AM

Juergen

If you have run debug it would be helpful to see that output. Can you post that output? (If you are reluctant to post the debug output for some reason you could email it to me - my address is in my profile)

It is helpful to know that if the second server is defined first that it works. This answers very well the questions about connectivity, about proper configuration, etc. If the request got to the server it should work.

It may also be helpful to clarify the failure mode. When you say the server is down, can we be more specific: is the server shut down, network connection unplugged, is the service stopped, is some process within the service stopped? I have recently encountered a situation which may be very similar. I do not know if your issue is the same. We have routers with 2 servers configured and usually the redundancy works fine. But we encountered a situation where a process within the TACACS service was stopped. The IOS sends an authentication transaction to TACACS and TACACS sends an error response (AUTH server not available) and IOS does not go to the second server. This seems to be the behavior in 12.3 but not in earlier code. We are still looking for a workaround. If we find one I will post it.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents