Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1166
Views
1
Helpful
6
Replies

SDWAN AAA tacacs Config

Anukalp S
Level 1
Level 1

ā€Ž06-14-2023 09:28 PM

Hello, i am seeing weird behaviuor not sure if others are facing same.

I have configured   tacacs servers in template on vmanage as below..

 192.168.30.10  port 49    key xxxx

192.168.20.10   port 49   key xxx

192.168.10.10   port 49   key xxx

This template is applied on sdwan router but when i check config on router it shows as below...

============================================

Router# 

aaa group server tacacs+ tacacs-1

server-private 192.168.10.10 timeout 10 key xxx

server-private 192.168.20.10 timeout 10 key xxx

server-private 192.168.30.10 timeout 10 key xxx

==================================================

could any one confirm why tacacs servers order has changed, is it something expected on sdwan to show this in ascending order OR could be bug.

This behaviour is seen on different platform of routers running on different images.

Labels:
0 Helpful
6 Replies 6

Kanan Huseynli
VIP
VIP

ā€Ž06-15-2023 03:14 AM

Hi,

catalyst 8K also shows in ascending order, even though it is configured differently.

In general, device tries TACACS servers one-by-one, it server does not respond, device checks another server. When all are not available, then it tries another method from aaa configuration (if configured) like local.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/user-access-authentication.html#id_114658

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Anukalp S
Level 1
Level 1
In response to Kanan Huseynli

ā€Ž06-15-2023 07:52 AM

Hi Kanan,

But idea here to put 192.168.30.10 on top so this region devices should send tacacs traffic to this server until live, while other region devices will be sending tacacs request to its respective region tacacs server .

Idea here is to maintain tacacs request load shared. How could we achieved in this case.

Kanan Huseynli
VIP
VIP
In response to Anukalp S

ā€Ž06-15-2023 12:27 PM

I checked with CLI-template, it still changes the order and defines servers in ascending order in the final configuration.

But below approach should work:

Define each server (or multiple servers from the same region) in different tacacs-group. Then in AAA auhentication/ authorization select groups in the order you want. As you see 2.2.2.2 (which is higher by IP) is selected as the first server due to configuration based on this method.

1) Define server one by one (order here does not matter):

KananHuseynli_0-1686856649391.png

2) Define server-groups for each region and add respective region servers to group (group-name is automatically generated, note them)

KananHuseynli_1-1686856704392.png

3) Define order / priority of servergroups for authentication and authorization

KananHuseynli_2-1686856896074.png

When I test on debug enabled router, I see belo:

Jun 15 19:19:35.259: %SYS-6-LOGOUT: User admin has exited tty session 435(172.20.1.2)
Jun 15 19:19:36.543: AAA/BIND(00000FC9): Bind i/f
Jun 15 19:19:36.543: AAA/AUTHEN/LOGIN (00000FC9): Pick method list 'default'
Jun 15 19:19:36.543: TPLUS: Queuing AAA Authentication request 4041 for processing
Jun 15 19:19:36.543: TPLUS(00000FC9) login timer started 1020 sec timeout
Jun 15 19:19:36.543: TPLUS: processing authentication start request id 4041
Jun 15 19:19:36.543: TPLUS: Authentication start packet created for 4041(admin)
Jun 15 19:19:36.543: TPLUS: Using server 2.2.2.2
Jun 15 19:19:36.544: TPLUS(00000FC9)/0: Connect Error No route to host -> it is lab, I just quickly added random server IP
Jun 15 19:19:36.544: TPLUS: Queuing AAA Authentication request 4041 for processing
Jun 15 19:19:36.544: TPLUS(00000FC9) login timer started 1020 sec timeout
Jun 15 19:19:36.544: TPLUS: processing authentication start request id 4041
Jun 15 19:19:36.544: TPLUS: Authentication start packet created for 4041(admin)
Jun 15 19:19:36.544: TPLUS: Using server 1.1.1.1
Jun 15 19:19:36.544: TPLUS(00000FC9)/0: Connect Error No route to host -> it is lab, I just quickly added random server IP
Jun 15 19:19:40.608: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 172.20.1.2] [localport: 22] at 23:19:40 AZT Thu Jun 15 2023 -> this is local user and authenticated

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Anukalp S
Level 1
Level 1
In response to Kanan Huseynli

ā€Ž06-18-2023 09:44 PM

thanks, will test this.

0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž07-04-2023 03:14 PM - edited ā€Ž07-04-2023 03:14 PM

friend it check the IP lowest to biggest 
you can change that by priority make Server with high priority check before other server. 

0 Helpful

Kanan Huseynli
VIP
VIP
In response to MHM Cisco World

ā€Ž07-04-2023 10:15 PM

Hi,

how? If there is no priority config in SD-WAN tacacs configuration...

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents