Multiple TACACS+ servers with different keys « DENY IP

Multiple TACACS+ servers with different keys

Posted in AAA, ACS, ccsp by denyip on August 4, 2008

Have you ever tried to add more than one TACACS+ server??? When I tried I was forced to use same authentication key for them (it could be possible security issue)

tacacs-server host 192.168.1.100
tacacs-server host 192.168.1.101
tacacs-server key secretkey

Its difference from RADIUS command where you can specify key after IP address

radius-server host 192.168.1.100 key secretkey1
radius-server host 192.168.1.101 key secretkey2

Now I found workaround how to do same for TACACS+ it can be done with server-private command under aaa group server
NOTE this command was introduced to IOS 12.3(7)T so it doesn’t apply to current blueprint version

aaa group server tacacs+ my-servers
server-private 192.168.1.100 key secretkey1
server-private 192.168.1.100 key secretkey2

Tagged with: AAA, ACS, TACACS+

M	T	W	T	F	S	S
« Jul				Sep »
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31

DENY IP – road to CCIE security

Multiple TACACS+ servers with different keys

Leave a Reply

Categories

Rack Time

Recent Posts

Archives

Category Cloud

RACK time (hours)

Blogroll