cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3171
Views
4
Helpful
2
Replies

Changing TACACS servers

Nick C.
Level 1
Level 1

We have added a new tacacs server running 5.2 and coming from 3.3.

Will I lose router access when removing the old server IP info and AAA commands? The router is out of state and don't want to lose access while making these changes.

 

Config Example:

Old tacacs router config:

 

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console_line local

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

ip tacacs source-interface Loopback0

 

tacacs-server host 10.1.1.31

tacacs-server host 10.2.1.9

tacacs-server directed-request

tacacs-server key 7 0835185A5C1053051D080717

 

New tacacs router config (currently working)

aaa new-model

!

!

aaa group server tacacs+ TTI_ACS_GROUP

server 10.1.1.253

server 10.1.1.252

ip tacacs source-interface GigabitEthernet0/0

!

aaa authentication login default group TTI_ACS_GROUP

aaa authentication enable default group TTI_ACS_GROUP

aaa authorization exec default group TTI_ACS_GROUP if-authenticated

!

 

ip tacacs source-interface Loopback0

 

tacacs-server host 10.1.1.253

tacacs-server host 10.1.1.252

tacacs-server directed-request

tacacs-server key t4t5i6rocks

 

Thank you!

-Nick C.

1 Accepted Solution

Accepted Solutions

we upgraded sometime ago from ACS 4.2 to 5.3, I kept the router config pretty much the same, and had the same tacacs server key for all, so just added the new tacacs server hosts to the existing config, and then turned off the old server, all was good.

remember if you are worried about loosing connection then the " reload in 005" is always good to do before you do any changes then if you do some config that is not liked and you loose connection the router will reload, and as config not saved come up with working config.

View solution in original post

2 Replies 2

we upgraded sometime ago from ACS 4.2 to 5.3, I kept the router config pretty much the same, and had the same tacacs server key for all, so just added the new tacacs server hosts to the existing config, and then turned off the old server, all was good.

remember if you are worried about loosing connection then the " reload in 005" is always good to do before you do any changes then if you do some config that is not liked and you loose connection the router will reload, and as config not saved come up with working config.

Great thanks for the info Richard.

Review Cisco Networking for a $25 gift card