cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
946
Views
5
Helpful
8
Replies

5508 (8.2.170) 5520 (8.5.135) and 3504 (8.5.135) TACACS with Hot standby Controllers

quintinellis
Level 1
Level 1

Hi, good day,

 

How do you configure TACACS on an HA pair? Do you add both redundancy IP's to TACACS? What about the VIP (management IP), do you need to add this to ISE as well?

 

In other words, from ISE perspective to have SSH access to CLI, do you add the redundancy WLC IP's of both the primary and secondary WLC's?

Also, from ISE perspective for GUI access, do you add the actual management IP as well, so having 3 IP's/devices added to ISE.

 

Thanks in advance

 

Q

1 Accepted Solution

Accepted Solutions

ammahend
VIP
VIP

Yes add all 3 IPs, VIP, redundancy IPs for both.

 

The standby WLC uses the redundancy management interface for any external communications such as when talking to Syslog, NTP server, TFTP server, and so on. On the standby WLC, the management user authentication and accounting is performed on the redundancy management interface. RADIUS or TACACS+ server can be used for user authentication, apart from a local management user account. To support this, the redundancy interface IP address(es) should be added as network device on the RADIUS or TACACS+ server.

-hope this helps-

View solution in original post

8 Replies 8

ammahend
VIP
VIP

Yes add all 3 IPs, VIP, redundancy IPs for both.

 

The standby WLC uses the redundancy management interface for any external communications such as when talking to Syslog, NTP server, TFTP server, and so on. On the standby WLC, the management user authentication and accounting is performed on the redundancy management interface. RADIUS or TACACS+ server can be used for user authentication, apart from a local management user account. To support this, the redundancy interface IP address(es) should be added as network device on the RADIUS or TACACS+ server.

-hope this helps-

Why would you want/need the standy-by wlc talking with the various servers? Not much is happening with the stand-by in a HA pair. It has always been our practice to just use the VIP as then whoever is the active will communicate with the syslog/tacacs/radius servers. NTP (time) is shared through the sync between the Active and Stand-by. TFTP? what files would you even be able to upload to a stand-by wlc? And why would you want to? 

Solarwinds is our monitoring tool of choice and currently our standard.

So from this point of view I only monitor the management IP



It just so happened that a controller failed (primary) and I was not aware of it due to the fact that I am not monitoring the actual redundancy IP's.

Further to this, the HA broke due to a licensing issue, hence why I need to get to the secondary/standby WLC via CLI at least.



Hope this makes sense?



Have a great day!



:)


Ok. I can understand that. I would think you can enter the other IPs as a ping only in Solarwinds, so you can at least get an up/down status.

HI,

Yes, I have in the meantime removed the management IP and added the redundant primary and secondary IP's and as you have stated, the secondary with only ICMP, because SNMP is not available.

Have a great weekend!!!



:)


Thanks for the confirmation, I used the following steps:

 

Had 3 IP's added to ISE (VIP, Pri and Sec)

CLI to primary redundancy IP

add TACACS configs (Pri and Sec synced verified with show tacacs cli commands)

open new session via CRT and test TACACS credentials.

 

Thanks for the help guys, much appreciated.

Q

Why did you add the 3 IPs to ISE? The floating VIP management IP will work for whichever WLC is active and that is all Tacacs needs. I do see the desire for the Solarwinds monitoring of the Redundancy IPs though.

Hi @quintinellis , 

 

You have to add the management IP address on the TACACS for login to your device.

 

If you want you can add the redundancy IP address of the Standby controller. It helps when the device went to Maintenance mode and it UP in network, but not joined to the HA Pair. So for taking the login via that and reboot that via login through TACACS. This scenario works when you're in remote office, don't know the local password and TACACS is your 1st Priority.

 

Otherwise no need to add the Standby IP address. As if the primary fails, Secondary will operate on Management IP address.

 

HTH,

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: