configuring TACACS with DNS hostname and no IP

MPFMPF49115 · ‎06-11-2020

Hi all, I´m trying to configure tacacs in an ASR920 router only with the DNS hostname using the command tacacs-server dns-alias-lookup but I have no luck to get it working.

can anyone check the config and tell me if it´s possible to do it?

aaa new-model

aaa authentication login default group TACPLUS local
aaa authentication enable default group TACPLUS enable
aaa authorization exec default group TACPLUS local
aaa authorization commands 15 default group TACPLUS
aaa accounting commands 0 default start-stop group TACPLUS
aaa accounting commands 1 default start-stop group TACPLUS
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server dns-alias-lookup
tacacs server tac_plus
address ipv4 10.5.140.39
key 7 13341625182900182D102F0A
tacacs server tacacs01
key 7 13341625182900182D102F0A

aaa group server tacacs+ TACPLUS
ip tacacs source-interface Loopback1

CANNOT ADD THE SERVER TACACS01 BECAUSE IT DOESN´T HAVE AND ADDRESS CONFIGURED

thanks to all!

Francesco Molino · ‎06-11-2020

Hi

This was useful when configuring tacacs the old way using command tacacs-server host xxxx.
With the new method, you don’t have a choice to define an IP and not a fqdn.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

MPFMPF49115 · ‎06-16-2020

HI Francesco, I´m using the tacacs server command instead the tacacs-server host command, so I´m using the new method, but unfortunately I must configure a tacacs server IP address. If it´s possible to share me a link with an example will be great

Thanks

Francesco Molino · ‎06-16-2020

I don’t have any links as i said with new method, only ip will work.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

MPFMPF49115 · ‎06-17-2020

I didn't understand you before. I've opened a tac case maybe they can give me a roadmap or something. Thanks Francesco

paul driver · ‎06-17-2020

Hello

@MPFMPF49115 wrote:

I´m using the new method, but unfortunately I must configure a tacacs server IP address. If it´s possible to share me a link with an example will be great

See attached..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MPFMPF49115 · ‎07-02-2020

HI Paul, IOS-XE version 16.12.3a has the fqnd option.

prueba_redes(config-server-tacacs)#address ?
fqdn fqdn, for address resolution from dns
ipv4 Configure ipv4 address for tacacs server
ipv6 Configure ipv6 address for tacacs server

it works!

acacs+ Server - public :
               Server name: tacacs01_tacacs01_10.5.140.39
            Server address: 10.5.140.39
               Server port: 49
              Socket opens:         53
             Socket closes:         53
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:         55
        Total Packets Recv:         55
             Server Status: Alive
Continous Authc fail count:          0
Continous Authz fail count:          0