Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30951
Views
15
Helpful
7
Replies

tacacs-server directed-request command

Go to solution
mahesh18
Level 6
Level 6

‎05-09-2012 05:59 PM - edited ‎03-07-2019 06:37 AM

  Hi all,

Command

tacacs-server directed-request.

As per cisco  ---

To send only a username to a specified server when a direct request is issued.

This command sends only the portion of the username before the “@” symbol to the host specified after

the “@” symbol. In other words, with the directed-request feature enabled, you can direct a request to

any of the configured servers, and only the username is sent to the specified server.

So here is setup

Router A  has say 3 servers configured

tacacs-server host 10.x.x.x

tacacs-server host 10.x.x.x

tacacs-server host 10.x.x.x

So when i telnet to Router IP say 20.x.x.x now i get the login prompt and it put xyz so this request will go to any of 3 tacacs servers right?

Once i put the username then i put the pasword  as per cisco  only username is sent to server does this mean that password which i type

is not authenticated by the server?

What if i put wrong pw then will i be able to telnet to  router?

If somebody can explain me meaning of this command in detail please?

Thanks

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dan Frey
Cisco Employee
Cisco Employee

‎05-09-2012 06:19 PM

The router will use the first tacacs ip address to appear in the running config.  If the config has:

tacacs-server host 10.1.1.1

tacacs-server host 172.16.1.1

it will try and use the 10.1.1.1 address first.   If the router can create a tcp session with the tacacs server the user will either be authenticated or denied.   Suppose that 10.1.1.1 was the enterprise tacacs server and 172.16.1.1 was a managed service provider.   The enterprise would be able to login as usual but the service provider would need to contact the device as: 

[dafrey@HammerHead ~]$ telnet router_ip

Username: username@172.16.1.1

Password:

Router>

This feature allows a user to specify a tacacs-server ip address and not use the first tacacs-server IP address to appear  in the config.   Authorization and accounting will also use the tacacs-server ip specified by this command for the length of the session.

Dan

View solution in original post

Go to solution
Dan Frey
Cisco Employee
Cisco Employee
In response to mahesh18

‎05-09-2012 06:48 PM

The term enterprise and managed service provider was to imply to different administrative domains.   Such as the the enterprise tacacs server does not have the same usernames as the managed service provider tacacs server.  

Hope this helps.

Dan

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Dan Frey
Cisco Employee
Cisco Employee

‎05-09-2012 06:19 PM

The router will use the first tacacs ip address to appear in the running config.  If the config has:

tacacs-server host 10.1.1.1

tacacs-server host 172.16.1.1

it will try and use the 10.1.1.1 address first.   If the router can create a tcp session with the tacacs server the user will either be authenticated or denied.   Suppose that 10.1.1.1 was the enterprise tacacs server and 172.16.1.1 was a managed service provider.   The enterprise would be able to login as usual but the service provider would need to contact the device as: 

[dafrey@HammerHead ~]$ telnet router_ip

Username: username@172.16.1.1

Password:

Router>

This feature allows a user to specify a tacacs-server ip address and not use the first tacacs-server IP address to appear  in the config.   Authorization and accounting will also use the tacacs-server ip specified by this command for the length of the session.

Dan

Go to solution
mahesh18
Level 6
Level 6
In response to Dan Frey

‎05-09-2012 06:42 PM

Hi Dan,

Thanks for reply.

When you say that enterprise server does it mean primary server?

When you say 172.1.1.1 was a managed service provider what does it mean?

Thanks

MAhesh

0 Helpful

Go to solution
Dan Frey
Cisco Employee
Cisco Employee
In response to mahesh18

‎05-09-2012 06:48 PM

The term enterprise and managed service provider was to imply to different administrative domains.   Such as the the enterprise tacacs server does not have the same usernames as the managed service provider tacacs server.  

Hope this helps.

Dan

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Dan Frey

‎05-09-2012 06:56 PM

Hi Dan,

If you can explain above statement in more detail that will be really helpfull.

Thanks

Mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Dan Frey

‎04-22-2013 05:48 PM

Hi Daniel,

Sorry for the very late reply.

Just want to make sure this question is marked as answer.

Thanks

Mahesh

0 Helpful

Go to solution
Mark DeLong
Level 4
Level 4
In response to Dan Frey

‎08-28-2012 06:44 PM

Great answer! Thx dude...I hate how the Cisco Command Reference is often confusing and doesn't make sense. I wonder if this still works with server groups...though I imagine it does as long as you specify a server in the group defined on the method list your using. Thx dude!

Mark DeLong

0 Helpful

Go to solution
Kyujin Choi
Level 1
Level 1
In response to Dan Frey

‎02-28-2013 08:08 AM

Thanks for your explanation !!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card