HI,

I have used aaa group comand but how shell i give the key, As the present authentication is happening with that.

Presently i am running with single server " tacac-server host x.x.x.x key xxxxxx

So if i use group command either i should remove or how. And how many servers i can use with tacac-server host command, please help

Please suggest.

Hello Suresh,

the key should be defined with the same value under the aaa group configuration.

Then you need to rewrite all the aaa commands for methods with group instead of tacacs

example:

aaa authentication login default tacacs local

becomes

aaa authentication login default group local

and so on

see

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/12-4t/sec-cfg-authentifcn.html#GUID-87329794-1E37-4FE5-A882-7221D1E35817

I would suggest to try the procedure on a device that is not in production network and that you can reach via console.

Also as additional safety measure you should test the changes trying to open a new connection to the device, keeping the original session open in a different window

Hope to help

Giuseppe

Thanks Giuseppe,

Correct my configuration below if any changes required and add if anything missing please.

aaa authentication login default group local

aaa group server tacacs+

server x.x.x.x  --> Old server IP

server x.x.x.x  ---> new server IP

tacacs-server host x.x.x.x key xxxxx  --> entry with new server IP

Regards

Suresh

Hello Suresh,

my suggestion is:

aaa group server tacacs+

server x.x.x.x  --> Old server IP

server x.x.x.x  ---> new server IP

key

assuming you are using the same key with new server

The command

tacacs-server host x.x.x.x key xxxxx 

should not be needed as all the information is inside the aaa group, and as I just wrote you need to change all references to tacacs in group in the aaa commands that describe the list of methods for authentication, authorization and accounting as in my previous example.

You may find out that it is easier to change on the fly from old server to new server.

Hope to help

Giuseppe

Hi Guiseppe,

aaa group server tacacs+ TACAC

server x.x.x.x

server x.x.x.x

aaa authentication login default group TACAC local

aaa authorization config-commands

aaa authorization exec default group TACAC local

aaa authorization commands 5 default group TACAC local

aaa authorization commands 15 default group TACAC local

aaa accounting exec default start-stop group TACAC

aaa accounting commands 1 default start-stop group TACAC

aaa accounting commands 15 default start-stop group TACAC

tacacs-server host x.x.x.x key xxxxx  --> entry with new server

group name ---> TACAC

In tacac server i have to change the tacac server host, thats all.

Correct me any changes required, i dont need any specific entries here but required any important point i am missing,

Request you to guide on this.

Thanks

Suresh

Hello Suresh,

my understanding is that the command

tacacs-server host x.x.x.x key xxxxx  --> entry with new server

is not needed at all and the key command can be placed under

aaa group server tacacs+ TACAC

if you want to change the key you should use

aaa group server tacacs+ TACAC

server x.x.x.x  key key1

server x.x.x.x key key2

all the other commands are already referring to the AAA group so they are fine.

At the end you can just turn off the old server with no change to the configuration of devices

Hope to help

Giuseppe

Hi Giuseppe,

no option avilable to give key after server x.x.x.x and i will use same key for old and new server as well.

I am checking this on my cisco 3750 switch running with "c3750-ipbasek9-mz.122-55.SE4.bin"

Pleas suggest...

Rgds

Suresh

Hi Giuseppe,

In addition to above, If i use this entry will i be able to have failover from old server IP to new one

tacacs-server host x.x.x.x key xxxxx  --> entry with new server  

Please suggest as i am unable to use key option after the group server.

Rgds

Suresh

Hi All,

Can somebody please respond to my query...

Regards

Suresh

Hi Giuseppe,

I have tested the below configuration in one of the test switch post changing the TACACs server IP and it works fine

Here i have created a group added the new server in to that then rest of the config is below

Thank you very much for the support

aaa group server tacacs+ TEST

server x.x.x.x

server x.x.x.x

aaa authentication login TEST group tacacs+ local

aaa authorization config-commands

aaa authorization exec TEST group tacacs+ local

aaa authorization commands 5 TEST group tacacs+ local

aaa authorization commands 15 TEST group tacacs+ local

aaa accounting exec default start-stop group TEST

aaa accounting commands 1 TEST start-stop group tacacs+

aaa accounting commands 15 TEST start-stop group tacacs+

tacacs-server host x.x.x.x key xxxxx  --> entry with new server

group name ---> TEST

Rgds

Suresh