cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2428
Views
0
Helpful
8
Replies

Multiple Tacacs Groups for different Interfaces on a Router

robertsinger
Level 1
Level 1

Hello Folks,

i have a question about multiple TACACS Groups.

I want to archieve the following:

A Cisco 888 is managed by me and a Provider Support Team.

Since we both want to access our own TACACS Server, i want to create two TACACS Groups.

Is it possible to me, to bind a Tacacs Group to one Interface, and the second TACACS Group to another ?

Means that our stuff is connecting to the LAN Interface FastEthernet0 that is applied to the SVI in VLAN 1.

The service technicans from the Provider are connecting to the external Interface or through a possible Lo. (another IP)

I do not want to mix our 2 TACACS+ Server and their's together in one Group. So have anybody tried this before ?

Best regards

Robert

1 Accepted Solution

Accepted Solutions

What Robert describes is quite unusual. But I believe that there may be a way to get it to work. I accomplished something similar a while back on a router that supported dial access (ppp) users. We wanted to use one authentication group for the ppp authentication and use a different authentication group for console/vty access.  We did get that to work pretty well.

I believe that Robert might achieve his requirements if he follows steps like these:

- create one tacacs goup that specifies his authentication servers. Perhaps name it OURS.

-create one tacacs group that specifies the authentication servers for the Provider Support Team. Perhaps name it PST.

-create one named authentication method to authenticate using group OURS. Perhaps call the method INTERNAL.

- create one named authentication method to authenticate using group PST. Perhaps call the method EXTERNAL.

- configure several vty ports specifying authentication method INTERNAL and specifying transport input telnet.

- configure several other vty ports specifying authentication method EXTERNAL and specifying transport input ssh.

Then if the Provider Support Team will SSH to the router they will use the vty that authenticates with their tacacs server. And if he will telnet to the router then he will use the vty that authenticates with his tacacs server.

HTH

Rick

HTH

Rick

View solution in original post

8 Replies 8

robertsinger
Level 1
Level 1

Did i post into the wrong forum ?

I do not belive what you are trying to do is possible. The only way I have ever seen shared access like this work correctly is when one party creates a user group in their server for the other party then restricts that group to only accessing the shared device.

What Robert describes is quite unusual. But I believe that there may be a way to get it to work. I accomplished something similar a while back on a router that supported dial access (ppp) users. We wanted to use one authentication group for the ppp authentication and use a different authentication group for console/vty access.  We did get that to work pretty well.

I believe that Robert might achieve his requirements if he follows steps like these:

- create one tacacs goup that specifies his authentication servers. Perhaps name it OURS.

-create one tacacs group that specifies the authentication servers for the Provider Support Team. Perhaps name it PST.

-create one named authentication method to authenticate using group OURS. Perhaps call the method INTERNAL.

- create one named authentication method to authenticate using group PST. Perhaps call the method EXTERNAL.

- configure several vty ports specifying authentication method INTERNAL and specifying transport input telnet.

- configure several other vty ports specifying authentication method EXTERNAL and specifying transport input ssh.

Then if the Provider Support Team will SSH to the router they will use the vty that authenticates with their tacacs server. And if he will telnet to the router then he will use the vty that authenticates with his tacacs server.

HTH

Rick

HTH

Rick

Rick,

This is an interesting solution. I was not aware that a client could specify what vty line it uses. How do you do that?

Greg

Greg

That is one of the interesting and quite subtle things in my suggested solution. In general a client can not choose which vty to use. But if only certain vty will process telnet and only certain other vty will process ssh, then client can choose vty by choosing to use telnet or to use ssh.

HTH

Rick

HTH

Rick

Hi,

thank you for your information. I will try that out next week and will report back.

Thank you a lot for your information.

Best regards

Robert

I configured your suggestion. It works for ssh and for telnet. I agreed with the provider team, that they should use telnet, since theire are in a "secure" MPLS Vrf. They had no problem with telnet.

Thank you alot for your information.

Best regards

Robert

Robert

Thank you for posting to the forum to tell us that you have worked out a solution to this problem. I am glad that my suggestion pointed to a solution that worked for you.

Thank you for posting an updated status of the question and for using the rating system to mark the question as answered. It makes the forum more useful when participants can read about the issue and can know that a solution was found. That is especially important when the issue is subtle and complex as this one is. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco