06-07-2019 01:45 AM - edited 07-05-2021 10:31 AM
Hi, good day,
How do you configure TACACS on an HA pair? Do you add both redundancy IP's to TACACS? What about the VIP (management IP), do you need to add this to ISE as well?
In other words, from ISE perspective to have SSH access to CLI, do you add the redundancy WLC IP's of both the primary and secondary WLC's?
Also, from ISE perspective for GUI access, do you add the actual management IP as well, so having 3 IP's/devices added to ISE.
Thanks in advance
Q
Solved! Go to Solution.
06-07-2019 04:23 AM
Yes add all 3 IPs, VIP, redundancy IPs for both.
The standby WLC uses the redundancy management interface for any external communications such as when talking to Syslog, NTP server, TFTP server, and so on. On the standby WLC, the management user authentication and accounting is performed on the redundancy management interface. RADIUS or TACACS+ server can be used for user authentication, apart from a local management user account. To support this, the redundancy interface IP address(es) should be added as network device on the RADIUS or TACACS+ server.
06-07-2019 04:23 AM
Yes add all 3 IPs, VIP, redundancy IPs for both.
The standby WLC uses the redundancy management interface for any external communications such as when talking to Syslog, NTP server, TFTP server, and so on. On the standby WLC, the management user authentication and accounting is performed on the redundancy management interface. RADIUS or TACACS+ server can be used for user authentication, apart from a local management user account. To support this, the redundancy interface IP address(es) should be added as network device on the RADIUS or TACACS+ server.
06-07-2019 06:48 AM
Why would you want/need the standy-by wlc talking with the various servers? Not much is happening with the stand-by in a HA pair. It has always been our practice to just use the VIP as then whoever is the active will communicate with the syslog/tacacs/radius servers. NTP (time) is shared through the sync between the Active and Stand-by. TFTP? what files would you even be able to upload to a stand-by wlc? And why would you want to?
06-07-2019 07:41 AM
06-07-2019 08:09 AM
06-07-2019 08:50 AM
06-07-2019 10:16 AM
Thanks for the confirmation, I used the following steps:
Had 3 IP's added to ISE (VIP, Pri and Sec)
CLI to primary redundancy IP
add TACACS configs (Pri and Sec synced verified with show tacacs cli commands)
open new session via CRT and test TACACS credentials.
Thanks for the help guys, much appreciated.
Q
06-07-2019 10:21 AM
06-07-2019 07:02 AM - edited 06-07-2019 07:04 AM
Hi @quintinellis ,
You have to add the management IP address on the TACACS for login to your device.
If you want you can add the redundancy IP address of the Standby controller. It helps when the device went to Maintenance mode and it UP in network, but not joined to the HA Pair. So for taking the login via that and reboot that via login through TACACS. This scenario works when you're in remote office, don't know the local password and TACACS is your 1st Priority.
Otherwise no need to add the Standby IP address. As if the primary fails, Secondary will operate on Management IP address.
HTH,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide