06-14-2023 09:28 PM
Hello, i am seeing weird behaviuor not sure if others are facing same.
I have configured tacacs servers in template on vmanage as below..
192.168.30.10 port 49 key xxxx
192.168.20.10 port 49 key xxx
192.168.10.10 port 49 key xxx
This template is applied on sdwan router but when i check config on router it shows as below...
============================================
Router#
aaa group server tacacs+ tacacs-1
server-private 192.168.10.10 timeout 10 key xxx
server-private 192.168.20.10 timeout 10 key xxx
server-private 192.168.30.10 timeout 10 key xxx
==================================================
could any one confirm why tacacs servers order has changed, is it something expected on sdwan to show this in ascending order OR could be bug.
This behaviour is seen on different platform of routers running on different images.
06-15-2023 03:14 AM
Hi,
catalyst 8K also shows in ascending order, even though it is configured differently.
In general, device tries TACACS servers one-by-one, it server does not respond, device checks another server. When all are not available, then it tries another method from aaa configuration (if configured) like local.
06-15-2023 07:52 AM
Hi Kanan,
But idea here to put 192.168.30.10 on top so this region devices should send tacacs traffic to this server until live, while other region devices will be sending tacacs request to its respective region tacacs server .
Idea here is to maintain tacacs request load shared. How could we achieved in this case.
06-15-2023 12:27 PM
I checked with CLI-template, it still changes the order and defines servers in ascending order in the final configuration.
But below approach should work:
Define each server (or multiple servers from the same region) in different tacacs-group. Then in AAA auhentication/ authorization select groups in the order you want. As you see 2.2.2.2 (which is higher by IP) is selected as the first server due to configuration based on this method.
1) Define server one by one (order here does not matter):
2) Define server-groups for each region and add respective region servers to group (group-name is automatically generated, note them)
3) Define order / priority of servergroups for authentication and authorization
When I test on debug enabled router, I see belo:
Jun 15 19:19:35.259: %SYS-6-LOGOUT: User admin has exited tty session 435(172.20.1.2)
Jun 15 19:19:36.543: AAA/BIND(00000FC9): Bind i/f
Jun 15 19:19:36.543: AAA/AUTHEN/LOGIN (00000FC9): Pick method list 'default'
Jun 15 19:19:36.543: TPLUS: Queuing AAA Authentication request 4041 for processing
Jun 15 19:19:36.543: TPLUS(00000FC9) login timer started 1020 sec timeout
Jun 15 19:19:36.543: TPLUS: processing authentication start request id 4041
Jun 15 19:19:36.543: TPLUS: Authentication start packet created for 4041(admin)
Jun 15 19:19:36.543: TPLUS: Using server 2.2.2.2
Jun 15 19:19:36.544: TPLUS(00000FC9)/0: Connect Error No route to host -> it is lab, I just quickly added random server IP
Jun 15 19:19:36.544: TPLUS: Queuing AAA Authentication request 4041 for processing
Jun 15 19:19:36.544: TPLUS(00000FC9) login timer started 1020 sec timeout
Jun 15 19:19:36.544: TPLUS: processing authentication start request id 4041
Jun 15 19:19:36.544: TPLUS: Authentication start packet created for 4041(admin)
Jun 15 19:19:36.544: TPLUS: Using server 1.1.1.1
Jun 15 19:19:36.544: TPLUS(00000FC9)/0: Connect Error No route to host -> it is lab, I just quickly added random server IP
Jun 15 19:19:40.608: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 172.20.1.2] [localport: 22] at 23:19:40 AZT Thu Jun 15 2023 -> this is local user and authenticated
06-18-2023 09:44 PM
thanks, will test this.
07-04-2023 03:14 PM - edited 07-04-2023 03:14 PM
friend it check the IP lowest to biggest
you can change that by priority make Server with high priority check before other server.
07-04-2023 10:15 PM
Hi,
how? If there is no priority config in SD-WAN tacacs configuration...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide