12-10-2012 12:57 AM - edited 03-07-2019 10:29 AM
Hi All,
I am planning to change the production TACAC server IP and internally all our network and firewall devices are getting authenticated by that.
I have no clue where to start and how to complete this.
Somebody please help on this to complete.
Regards
Suresh
Solved! Go to Solution.
12-10-2012 02:58 AM
Hello Suresh,
the new TACACS+ server IP address has to be configured on all devices, there is no easy shortcut for this.
You can take advantage of server groups adding the new server address to a server group. On devices supporting the aaa server group the migration should be easier.
See
the idea is to define both the old and new IP tacacs IP addresses in the same aaa group of servers so that when later you will disable the old server devices will try to authenticate to new one by simply going to next server in aaa group list.
Hope to help
Giuseppe
12-31-2012 04:57 AM
Hello Suresh,
I have checked in documentation (CCIE R&S study guide) and you should be able to use multiple instances of the
tacacs-server host command
Again, the suggestion is to test this on a single device first.
According to the book an implicit group named tacacs is formed by IOS with all defined tacacs servers, and it can be invoked in aaa commands by using group tacacs. So the use of a user defined group of servers is not strictly needed.
Hope to help
Giuseppe
12-10-2012 02:58 AM
Hello Suresh,
the new TACACS+ server IP address has to be configured on all devices, there is no easy shortcut for this.
You can take advantage of server groups adding the new server address to a server group. On devices supporting the aaa server group the migration should be easier.
See
the idea is to define both the old and new IP tacacs IP addresses in the same aaa group of servers so that when later you will disable the old server devices will try to authenticate to new one by simply going to next server in aaa group list.
Hope to help
Giuseppe
12-28-2012 02:35 AM
HI,
I have used aaa group comand but how shell i give the key, As the present authentication is happening with that.
Presently i am running with single server " tacac-server host x.x.x.x key xxxxxx
So if i use group command either i should remove or how. And how many servers i can use with tacac-server host command, please help
Please suggest.
12-28-2012 04:12 AM
Hello Suresh,
the key should be defined with the same value under the aaa group configuration.
Then you need to rewrite all the aaa commands for methods with group
example:
aaa authentication login default tacacs local
becomes
aaa authentication login default group
and so on
see
I would suggest to try the procedure on a device that is not in production network and that you can reach via console.
Also as additional safety measure you should test the changes trying to open a new connection to the device, keeping the original session open in a different window
Hope to help
Giuseppe
12-28-2012 04:21 AM
Thanks Giuseppe,
Correct my configuration below if any changes required and add if anything missing please.
aaa authentication login default group
aaa group server tacacs+
server x.x.x.x --> Old server IP
server x.x.x.x ---> new server IP
tacacs-server host x.x.x.x key xxxxx --> entry with new server IP
Regards
Suresh
12-28-2012 04:26 AM
Hello Suresh,
my suggestion is:
aaa group server tacacs+
server x.x.x.x --> Old server IP
server x.x.x.x ---> new server IP
key
assuming you are using the same key with new server
The command
tacacs-server host x.x.x.x key xxxxx
should not be needed as all the information is inside the aaa group, and as I just wrote you need to change all references to tacacs in group
You may find out that it is easier to change on the fly from old server to new server.
Hope to help
Giuseppe
12-28-2012 04:40 AM
Hi Guiseppe,
aaa group server tacacs+ TACAC
server x.x.x.x
server x.x.x.x
aaa authentication login default group TACAC local
aaa authorization config-commands
aaa authorization exec default group TACAC local
aaa authorization commands 5 default group TACAC local
aaa authorization commands 15 default group TACAC local
aaa accounting exec default start-stop group TACAC
aaa accounting commands 1 default start-stop group TACAC
aaa accounting commands 15 default start-stop group TACAC
tacacs-server host x.x.x.x key xxxxx --> entry with new server
group name ---> TACAC
In tacac server i have to change the tacac server host, thats all.
Correct me any changes required, i dont need any specific entries here but required any important point i am missing,
Request you to guide on this.
Thanks
Suresh
12-28-2012 04:48 AM
Hello Suresh,
my understanding is that the command
tacacs-server host x.x.x.x key xxxxx --> entry with new server
is not needed at all and the key command can be placed under
aaa group server tacacs+ TACAC
if you want to change the key you should use
aaa group server tacacs+ TACAC
server x.x.x.x key key1
server x.x.x.x key key2
all the other commands are already referring to the AAA group so they are fine.
At the end you can just turn off the old server with no change to the configuration of devices
Hope to help
Giuseppe
12-28-2012 04:55 AM
Hi Giuseppe,
no option avilable to give key after server x.x.x.x and i will use same key for old and new server as well.
I am checking this on my cisco 3750 switch running with "c3750-ipbasek9-mz.122-55.SE4.bin"
Pleas suggest...
Rgds
Suresh
12-28-2012 05:44 AM
Hi Giuseppe,
In addition to above, If i use this entry will i be able to have failover from old server IP to new one
tacacs-server host x.x.x.x key xxxxx --> entry with new server
Please suggest as i am unable to use key option after the group server.
Rgds
Suresh
12-31-2012 03:07 AM
Hi All,
Can somebody please respond to my query...
Regards
Suresh
12-31-2012 04:57 AM
Hello Suresh,
I have checked in documentation (CCIE R&S study guide) and you should be able to use multiple instances of the
tacacs-server host command
Again, the suggestion is to test this on a single device first.
According to the book an implicit group named tacacs is formed by IOS with all defined tacacs servers, and it can be invoked in aaa commands by using group tacacs. So the use of a user defined group of servers is not strictly needed.
Hope to help
Giuseppe
12-31-2012 06:30 AM
Hi Giuseppe,
I have tested the below configuration in one of the test switch post changing the TACACs server IP and it works fine
Here i have created a group added the new server in to that then rest of the config is below
Thank you very much for the support
aaa group server tacacs+ TEST
server x.x.x.x
server x.x.x.x
aaa authentication login TEST group tacacs+ local
aaa authorization config-commands
aaa authorization exec TEST group tacacs+ local
aaa authorization commands 5 TEST group tacacs+ local
aaa authorization commands 15 TEST group tacacs+ local
aaa accounting exec default start-stop group TEST
aaa accounting commands 1 TEST start-stop group tacacs+
aaa accounting commands 15 TEST start-stop group tacacs+
tacacs-server host x.x.x.x key xxxxx --> entry with new server
group name ---> TEST
Rgds
Suresh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide