Hi dominic,

Thnx for responding. I was already testing with AAA server groups, however I can't seem to get it right. I've tried the folowing:

aaa group server tacacs+ proxy-test

server 212.84.0.19

!

aaa authentication login default group tacacs+ local

aaa authentication login auth-proxy group proxy-test

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default if-needed group tacacs+ none

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization auth-proxy default group proxy-test

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

ip auth-proxy inactivity-timer 10

ip auth-proxy name proxy-test http

!

Interface X

ip auth-proxy proxy-test

!

tacacs-server host x.x.x.x key x

tacacs-server host y.y.y.y key y

It seems the authentication/authorization for is always directed at the "default" list of methods. Auth-proxy on the same tacacs server is no problem and works fine.

Hi dominic,

:) As you can see, I've just come to the same conclusion.

It is possible to use a named method list for the auth-proxy? If it's not i'll leave it with this setup.

Thnx many times

Okay, after some testing i have an initial and working setup:

!

aaa group server tacacs+ proxy

server x.x.x.x

!

aaa authentication login default group proxy

aaa authentication login maintenance group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp maintenance if-needed group tacacs+ none

aaa authorization exec maintenance group tacacs+ local

aaa authorization network maintenance group tacacs+ local

aaa authorization auth-proxy default group proxy

aaa accounting exec maintenance start-stop group tacacs+

aaa accounting commands 0 maintenance start-stop group tacacs+

aaa accounting commands 15 maintenance start-stop group tacacs+

aaa accounting network maintenance start-stop group tacacs+

aaa accounting connection maintenance start-stop group tacacs+

!

ip auth-proxy inactivity-timer 10

ip auth-proxy name proxy-test http

!

Interface X

ip auth-proxy proxy-test

!

tacacs-server host x.x.x.x key x

tacacs-server host y.y.y.y key y

!

line 0 15

login authentication maintenance

!

line con 0

login authentication maintenance

What i saw in the AAA debugs during an auth-proxy requestis that the "AAA authentication default" method list is always requested. I want to be able to create a named method list for this feature, but i'm not sure if i'll get it working. For now this will do.

I think auth-proxy is tied to the http server implementation. This is a guess but you could try to change the http server aaa method...

ip http authentication aaa login-authentication (method)

Sorry, cant test this on my prod network :(

Dominic,

When I specify a named method for example: "ip http authentication aaa login-authentication test" the auth-proxy function still requests the default method list.

So if i'm going to implement this feature it seems i'll have to leave the default method list for auth-proxy functions.....

double post

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host 1.1.1.1

aaa-server TACACS+ host 2.2.2.2

This is usualy simple. If you need to load-balance on the two server, you need a CSS or something like that. Tacacs is generaly easy to loadbalance, radius is another story(udp). Since UDP is not connection oriented, you must rely on connection timeout.