02-20-2018 01:50 AM - edited 03-08-2019 01:56 PM
I have a WS-C3650 running IOS-XE version 03.06.06E.
I have two tacacs+ servers configured on it and I can login fine.
I know that the primary tacacs server, server1, is working, but how can I test that server2 is working as well?
When I issue the command below it tests against server1 every single time.
test aaa group tacacs+ [username] [password] legacy
What command can I use to test against server2?
I tried checking "show tacacs" and it confirms that all requests are sent to the primary tacacs server.
Is there any way to configure IOS-XE to use round-robin for the two available tacacs servers?
Solved! Go to Solution.
02-20-2018 08:16 AM
I had a requirement that was similar to this (not quite the same but close). We had two tacacs servers and wanted to be able to test with the backup. The solution that I used was that I configured a second tacacs group which had only the backup server assigned to it. I then configured a second aaa authentication login command and used a name for it so we had aaa authentication login default and had aaa authentication login testserver. Then on the last vty line I used login authentication testserver so that only connections to the last vty would authenticate with the backup server. Our standard config for vty specified transport input ssh and I modified the config of the last vty to transport input ssh telnet. So when I wanted to test I would simply telnet to the device, I would connect to the last vty, and would be able to test the backup server. This was on an IOS device (I did say similar but not quite the same as this post) but I assume IOS-XE would support this functionality.
HTH
Rick
02-20-2018 02:00 AM
02-20-2018 02:43 AM - edited 02-20-2018 02:45 AM
@Mark Malone wrote:
Could you not temporarily remove the primary server ip from the AAA , that will force it to use the standby to make sure its working in test
Unfortunately this is not an option as the device is under strict change control. I can't make any changes to the configuration of the device without an approved change request.
@Mark Malone wrote:
or you could test its open using telnet and port 49 , i haven't seen a round robin test command before in any of the docs or cli
telnet x.x.x.x 49
One of the things I wanted to test is if the TACACS key is correctly specified on both the device and on the TACACS server. Unfortunately a telnet test is not enough to verify the TACACS key.
02-20-2018 02:59 AM
Looks like you can do it on ios but not ios-xe so you may need a window to fully test those platforms, other option is stop primary service on ACS let secondary takeover but thats n more risky than removing line from AA config in cli
from 3560v2
#test aaa group xtacas server ?
Hostname or A.B.C.D IP address of server to test
02-20-2018 08:16 AM
I had a requirement that was similar to this (not quite the same but close). We had two tacacs servers and wanted to be able to test with the backup. The solution that I used was that I configured a second tacacs group which had only the backup server assigned to it. I then configured a second aaa authentication login command and used a name for it so we had aaa authentication login default and had aaa authentication login testserver. Then on the last vty line I used login authentication testserver so that only connections to the last vty would authenticate with the backup server. Our standard config for vty specified transport input ssh and I modified the config of the last vty to transport input ssh telnet. So when I wanted to test I would simply telnet to the device, I would connect to the last vty, and would be able to test the backup server. This was on an IOS device (I did say similar but not quite the same as this post) but I assume IOS-XE would support this functionality.
HTH
Rick
02-26-2018 07:10 AM - edited 02-26-2018 07:12 AM
This is not the best solution, but it works.
My solution will be to create a second group only with the backup server and then use the test command to test that group.
I hope Cisco will add the ability to test a single TACACS+ server in IOS-XE in the future
02-26-2018 07:40 AM
02-26-2018 10:58 AM
I am glad that you find that my suggestion is a workable solution if not the preferred solution. Thank you for marking the question as solved. I agree that having the software support specific server in the test command is the optimum solution. The suggestion from Mark that you can make a request for a feature enhancement is the way to go.
HTH
Rick
03-02-2019 03:23 PM
use the command:
test aaa group [ AAA Server group name] server [IP address of server to test] [username] [password] legacy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: