Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2990
Views
5
Helpful
7
Replies

Adding a new AAA SERVER GROUP

Go to solution
Alfredcfc
Level 1
Level 1

‎10-26-2019 07:33 AM

I will give some context so there is  already have aaa server group running radius and local database as backup.So My company which is going to manage their security devices is asking as to add another server groups running TACAS+,

 

My doubt is if after i  create the server group with TACAS+ and when i have include them in the  "aaa authentication" command 

do i have to include the TACAS+ and RADIUS server group or can i just add the newly created (TACAS+)  

 

 aaa authentication ssh console MY_RADIUS MY_TACAS+ Local ?

 or

aaa authentication ssh console MY_TACAS+ Local ?.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Alfredcfc

‎10-27-2019 08:16 AM

Again, as I posted earlier what you are wanting to do is not supported.  You will need to include all users in the new TACACS+ group if you want to maintain authentication for the existing users in RADIUS.

aaa authentication ssh console MY_RADIUS MY_TACAS+ Local ? <-- NOTSUPPORTED

 

aaa authentication ssh console MY_TACAS+ Local <-- CORRECT SYNTAX

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-26-2019 11:26 AM - edited ‎10-26-2019 02:46 PM

best is include the TACAS+ and RADIUS server group ( exiting one) rather adding new entry

 

 

EDIT :

 

Let me give some clarify about my statement.

 

I mean new Radius Server IP address to add to exiting group. example :

 

MY_TACAS+

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎10-26-2019 12:43 PM - edited ‎10-26-2019 12:44 PM

Hi you will need to add the second command.  The first one you provided is not supported and will return an error when entered.

 aaa authentication ssh console MY_RADIUS MY_TACAS+ Local ? <-- NOTSUPPORTED

 or

aaa authentication ssh console MY_TACAS+ Local <-- CORRECT SYNTAX

This will end up replacing the existing aaa authentication ssh console command so if anyone is using that RADIUS server, then once this command is entered they will no longer be able to log into the ASA unless they have a user in you TACACS+ server.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Alfredcfc
Level 1
Level 1
In response to Marius Gunnerud

‎10-27-2019 03:13 AM

So is there a way to keep the old radius group and the new Tacas+ configuration ?.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Alfredcfc

‎10-27-2019 05:55 AM

Not that i am aware of, you can add all old and new in one group (if that is acceptable)?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Alfredcfc

‎10-27-2019 07:32 AM

There are a couple of issues here. 

1. you cannot mix RADIUS and TACACS+ server in the authentication.  You can have either one or the other. 

for example:  This is acceptable

aaa-server RAD-SERVER protocal radius

aaa-server RAD-SERVER (inside) host 1.2.3.4
  key *****

aaa-server RAD-SERVER (inside) host 4.3.2.1
  key *****

If you try to give a tacacs server the same name that is used for a radius server group you will get an error.

aaa-server RAD-SERVER protocol tacacs+
ERROR: aaa-server group <RAD-SERVER> already exists with type radius

2. If you decide to introduce your own RADIUS server to keep the existing servers, you will have issues that if the first configured server is reachable the second server will never be queried. So if you have a user configured on the second defined RADIUS server that does not exist on the first defined server, you will get an authentication failed.  The only way around this is if you can configure the first RADIUS server to forward the authentication request for users configured on the second server.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Alfredcfc
Level 1
Level 1
In response to Marius Gunnerud

‎10-27-2019 07:53 AM

I understand that we can't mix TACAS+ AND RADIUS together.What I was thinking is having two different server-groups 

one for RADIUS which already exists in the my current configuration and add a new server-group for TACAS+ along with the radius one.

 

Where my actual doubt is can we have multiple server-groups each one with a different protocol!.

 

#aaa authentication ssh console MY_RADIUS MYTACAS+ LOCAL

 

MY_RADIUS ALREADY EXISTS .

 

I am just adding MYTACAS+ to the authentication order ?.

 

Which was deemed not possible !!  by one of the other contributors.So the only way for me is to include all users in the TACAS+ SERVER GROUP and call it.

 

aaa authentication ssh console MYTACAS+ LOCAL 

 

 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Alfredcfc

‎10-27-2019 08:16 AM

Again, as I posted earlier what you are wanting to do is not supported.  You will need to include all users in the new TACACS+ group if you want to maintain authentication for the existing users in RADIUS.

aaa authentication ssh console MY_RADIUS MY_TACAS+ Local ? <-- NOTSUPPORTED

 

aaa authentication ssh console MY_TACAS+ Local <-- CORRECT SYNTAX

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card