Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9015
Views
0
Helpful
8
Replies

IOS-XE: Testing specific TACACS server

Go to solution
Martin W Joergensen
Level 1
Level 1

‎02-20-2018 01:50 AM - edited ‎03-08-2019 01:56 PM

I have a WS-C3650 running IOS-XE version 03.06.06E.

I have two tacacs+ servers configured on it and I can login fine.

I know that the primary tacacs server, server1, is working, but how can I test that server2 is working as well?

When I issue the command below it tests against server1 every single time.

test aaa group tacacs+ [username] [password] legacy

 

What command can I use to test against server2?

I tried checking "show tacacs" and it confirms that all requests are sent to the primary tacacs server.

Is there any way to configure IOS-XE to use round-robin for the two available tacacs servers?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Malone

‎02-20-2018 08:16 AM

I had a requirement that was similar to this (not quite the same but close). We had two tacacs servers and wanted to be able to test with the backup. The solution that I used was that I configured a second tacacs group which had only the backup server assigned to it. I then configured a second aaa authentication login command and used a name for it so we had aaa authentication login default and had aaa authentication login testserver. Then on the last vty line I used login authentication testserver so that only connections to the last vty would authenticate with the backup server. Our standard config for vty specified transport input ssh and I modified the config of the last vty to transport input ssh telnet. So when I wanted to test I would simply telnet to the device, I would connect to the last vty, and would be able to test the backup server. This was on an IOS device (I did say similar but not quite the same as this post) but I assume IOS-XE would support this functionality.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎02-20-2018 02:00 AM

Could you not temporarily remove the primary server ip from the AAA , that will force it to use the standby to make sure its working in test
or you could test its open using telnet and port 49 , i haven't seen a round robin test command before in any of the docs or cli

telnet x.x.x.x 49
0 Helpful

Go to solution
Martin W Joergensen
Level 1
Level 1
In response to Mark Malone

‎02-20-2018 02:43 AM - edited ‎02-20-2018 02:45 AM

@Mark Malone wrote:
Could you not temporarily remove the primary server ip from the AAA , that will force it to use the standby to make sure its working in test

Unfortunately this is not an option as the device is under strict change control. I can't make any changes to the configuration of the device without an approved change request.

 

@Mark Malone wrote:
or you could test its open using telnet and port 49 , i haven't seen a round robin test command before in any of the docs or cli

telnet x.x.x.x 49

One of the things I wanted to test is if the TACACS key is correctly specified on both the device and on the TACACS server. Unfortunately a telnet test is not enough to verify the TACACS key.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Martin W Joergensen

‎02-20-2018 02:59 AM

Looks like you can do it on ios but not ios-xe so you may need a window to fully test those platforms, other option is stop primary service on ACS let secondary takeover but thats n more risky than removing line from AA config in cli 

 

from 3560v2

#test aaa group xtacas server ?
  Hostname or A.B.C.D  IP address of server to test

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Malone

‎02-20-2018 08:16 AM

I had a requirement that was similar to this (not quite the same but close). We had two tacacs servers and wanted to be able to test with the backup. The solution that I used was that I configured a second tacacs group which had only the backup server assigned to it. I then configured a second aaa authentication login command and used a name for it so we had aaa authentication login default and had aaa authentication login testserver. Then on the last vty line I used login authentication testserver so that only connections to the last vty would authenticate with the backup server. Our standard config for vty specified transport input ssh and I modified the config of the last vty to transport input ssh telnet. So when I wanted to test I would simply telnet to the device, I would connect to the last vty, and would be able to test the backup server. This was on an IOS device (I did say similar but not quite the same as this post) but I assume IOS-XE would support this functionality.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Martin W Joergensen
Level 1
Level 1
In response to Richard Burts

‎02-26-2018 07:10 AM - edited ‎02-26-2018 07:12 AM

This is not the best solution, but it works.

My solution will be to create a second group only with the backup server and then use the test command to test that group.
I hope Cisco will add the ability to test a single TACACS+ server in IOS-XE in the future

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Martin W Joergensen

‎02-26-2018 07:40 AM

You can request a feature enhancement through your Cisco account manager if you have one i did it for MPP eventually got it fully integrated to ios-xe just took about a year though and a lot of pushing
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Mark Malone

‎02-26-2018 10:58 AM

I am glad that you find that my suggestion is a workable solution if not the preferred solution. Thank you for marking the question as solved. I agree that having the software support specific server in the test command is the optimum solution. The suggestion from Mark that you can make a request for a feature enhancement is the way to go.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Fraydoon Razazi
Level 1
Level 1

‎03-02-2019 03:23 PM

use the command:

test aaa group [ AAA Server group name] server [IP address of server to test] [username] [password] legacy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card