Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2836
Views
0
Helpful
8
Replies

Multiple Tacacs Groups for different Interfaces on a Router

Go to solution
robertsinger
Level 1
Level 1

‎02-25-2013 07:08 AM - edited ‎03-07-2019 11:55 AM

Hello Folks,

i have a question about multiple TACACS Groups.

I want to archieve the following:

A Cisco 888 is managed by me and a Provider Support Team.

Since we both want to access our own TACACS Server, i want to create two TACACS Groups.

Is it possible to me, to bind a Tacacs Group to one Interface, and the second TACACS Group to another ?

Means that our stuff is connecting to the LAN Interface FastEthernet0 that is applied to the SVI in VLAN 1.

The service technicans from the Provider are connecting to the external Interface or through a possible Lo. (another IP)

I do not want to mix our 2 TACACS+ Server and their's together in one Group. So have anybody tried this before ?

Best regards

Robert

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Gregory Snipes

‎02-28-2013 06:56 PM

What Robert describes is quite unusual. But I believe that there may be a way to get it to work. I accomplished something similar a while back on a router that supported dial access (ppp) users. We wanted to use one authentication group for the ppp authentication and use a different authentication group for console/vty access.  We did get that to work pretty well.

I believe that Robert might achieve his requirements if he follows steps like these:

- create one tacacs goup that specifies his authentication servers. Perhaps name it OURS.

-create one tacacs group that specifies the authentication servers for the Provider Support Team. Perhaps name it PST.

-create one named authentication method to authenticate using group OURS. Perhaps call the method INTERNAL.

- create one named authentication method to authenticate using group PST. Perhaps call the method EXTERNAL.

- configure several vty ports specifying authentication method INTERNAL and specifying transport input telnet.

- configure several other vty ports specifying authentication method EXTERNAL and specifying transport input ssh.

Then if the Provider Support Team will SSH to the router they will use the vty that authenticates with their tacacs server. And if he will telnet to the router then he will use the vty that authenticates with his tacacs server.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
8 Replies 8

Go to solution
robertsinger
Level 1
Level 1

‎02-28-2013 12:20 PM

Did i post into the wrong forum ?

0 Helpful

Go to solution
Gregory Snipes
Level 4
Level 4
In response to robertsinger

‎02-28-2013 12:55 PM

I do not belive what you are trying to do is possible. The only way I have ever seen shared access like this work correctly is when one party creates a user group in their server for the other party then restricts that group to only accessing the shared device.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Gregory Snipes

‎02-28-2013 06:56 PM

What Robert describes is quite unusual. But I believe that there may be a way to get it to work. I accomplished something similar a while back on a router that supported dial access (ppp) users. We wanted to use one authentication group for the ppp authentication and use a different authentication group for console/vty access.  We did get that to work pretty well.

I believe that Robert might achieve his requirements if he follows steps like these:

- create one tacacs goup that specifies his authentication servers. Perhaps name it OURS.

-create one tacacs group that specifies the authentication servers for the Provider Support Team. Perhaps name it PST.

-create one named authentication method to authenticate using group OURS. Perhaps call the method INTERNAL.

- create one named authentication method to authenticate using group PST. Perhaps call the method EXTERNAL.

- configure several vty ports specifying authentication method INTERNAL and specifying transport input telnet.

- configure several other vty ports specifying authentication method EXTERNAL and specifying transport input ssh.

Then if the Provider Support Team will SSH to the router they will use the vty that authenticates with their tacacs server. And if he will telnet to the router then he will use the vty that authenticates with his tacacs server.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Gregory Snipes
Level 4
Level 4
In response to Richard Burts

‎03-01-2013 05:31 AM

Rick,

This is an interesting solution. I was not aware that a client could specify what vty line it uses. How do you do that?

Greg

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Gregory Snipes

‎03-01-2013 09:20 AM

Greg

That is one of the interesting and quite subtle things in my suggested solution. In general a client can not choose which vty to use. But if only certain vty will process telnet and only certain other vty will process ssh, then client can choose vty by choosing to use telnet or to use ssh.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
robertsinger
Level 1
Level 1
In response to Richard Burts

‎03-03-2013 02:55 AM

Hi,

thank you for your information. I will try that out next week and will report back.

Thank you a lot for your information.

Best regards

Robert

0 Helpful

Go to solution
robertsinger
Level 1
Level 1
In response to robertsinger

‎03-14-2013 12:43 PM

I configured your suggestion. It works for ssh and for telnet. I agreed with the provider team, that they should use telnet, since theire are in a "secure" MPLS Vrf. They had no problem with telnet.

Thank you alot for your information.

Best regards

Robert

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to robertsinger

‎03-14-2013 08:29 PM

Robert

Thank you for posting to the forum to tell us that you have worked out a solution to this problem. I am glad that my suggestion pointed to a solution that worked for you.

Thank you for posting an updated status of the question and for using the rating system to mark the question as answered. It makes the forum more useful when participants can read about the issue and can know that a solution was found. That is especially important when the issue is subtle and complex as this one is. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card