09-01-2015 01:03 PM
We have added a new tacacs server running 5.2 and coming from 3.3.
Will I lose router access when removing the old server IP info and AAA commands? The router is out of state and don't want to lose access while making these changes.
Config Example:
Old tacacs router config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console_line local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
ip tacacs source-interface Loopback0
tacacs-server host 10.1.1.31
tacacs-server host 10.2.1.9
tacacs-server directed-request
tacacs-server key 7 0835185A5C1053051D080717
New tacacs router config (currently working)
aaa new-model
!
!
aaa group server tacacs+ TTI_ACS_GROUP
server 10.1.1.253
server 10.1.1.252
ip tacacs source-interface GigabitEthernet0/0
!
aaa authentication login default group TTI_ACS_GROUP
aaa authentication enable default group TTI_ACS_GROUP
aaa authorization exec default group TTI_ACS_GROUP if-authenticated
!
ip tacacs source-interface Loopback0
tacacs-server host 10.1.1.253
tacacs-server host 10.1.1.252
tacacs-server directed-request
tacacs-server key t4t5i6rocks
Thank you!
-Nick C.
Solved! Go to Solution.
09-01-2015 11:28 PM
we upgraded sometime ago from ACS 4.2 to 5.3, I kept the router config pretty much the same, and had the same tacacs server key for all, so just added the new tacacs server hosts to the existing config, and then turned off the old server, all was good.
remember if you are worried about loosing connection then the " reload in 005" is always good to do before you do any changes then if you do some config that is not liked and you loose connection the router will reload, and as config not saved come up with working config.
09-01-2015 11:28 PM
we upgraded sometime ago from ACS 4.2 to 5.3, I kept the router config pretty much the same, and had the same tacacs server key for all, so just added the new tacacs server hosts to the existing config, and then turned off the old server, all was good.
remember if you are worried about loosing connection then the " reload in 005" is always good to do before you do any changes then if you do some config that is not liked and you loose connection the router will reload, and as config not saved come up with working config.
09-25-2015 02:02 PM
Great thanks for the info Richard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide