Kingsley, you are correct. They still need to be globally configured. If they do share a similar key, then you can just configure one key for the AAA client to use with all AAA servers. Such as
aaa group server tacacs+ TACACS-SERVERS server 192.168.10.49 server 192.168.20.49 server 192.168.30.49 tacacs-server host 192.168.10.49 tacacs-server host 192.168.20.49 tacacs-server host 192.168.30.49 tacacs-server key CISCO1234 Kamran - for ASA, you can do the same thing. The "show run" output will look like this once you've completed your config. aaa-server TACACS-SERVERS protocol tacacs+ aaa-server TACACS-SERVERS (inside) host 192.168.10.49 key CISCO1234 aaa-server TACACS-SERVERS (inside) host 192.168.20.49 key CISCO1234 aaa-server TACACS-SERVERS (inside) host 192.168.30.49 key CISCO1234 Mark On Thu, Jun 16, 2011 at 7:41 AM, kamran shakil <[email protected]>wrote: > Hey Mark, > as you said about IOS devices, how about the same to do on ASA ??? any > comments on that ? > > regards, > Kamran. > > > > On Thu, Jun 16, 2011 at 2:04 AM, Mark Senteza <[email protected]>wrote: > >> Yes, you can do that. >> >> I usually prefer to configure using server groups e.g. on IOS devices >> >> aaa group server tacacs+ TACACS-SERVERS >> server 192.168.10.49 >> server 192.168.20.49 >> server 192.168.30.49 >> >> tacacs-server key ahf89bb8g >> >> aaa authentication login VTY-LOGIN group TACACS-SERVERS >> >> Like Kingsley mentioned, the first listed server is tried first, and so >> on. So you can tailor the server group to list the local site's ACS server >> as the first one, then the remote ones follow. >> >> I'm assuming that you've got ACS replication set up between your servers >> too. >> >> Mark >> >> On Wed, Jun 15, 2011 at 3:23 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> With IOS switch and router, the global servers are tried in the order in >>> which it is configured. In the given below config, 10.20.30.40 is tried >>> first and then 10.77.165.203. >>> >>> tacacs-server host 10.20.30.40 key cisco >>> tacacs-server host 10.20.30.50 key cisco >>> >>> With ASA, the same rule applies are tried. In the given below config, >>> 10.20.30.40 is tried first and then 10.77.165.203. >>> >>> aaa-server tac protocol tacacs+ >>> aaa-server tac (outside) host 10.20.30.40 >>> key ****** >>> aaa-server tac (outside) host 10.20.30.50 >>> key ****** >>> >>> By doing this, we get the backup solution. >>> >>> >>> With regards >>> Kings >>> >>> On Wed, Jun 15, 2011 at 10:26 AM, ccie2b wannabccie < >>> [email protected]> wrote: >>> >>>> Dears, >>>> >>>> I have 3 sites and each site is having ACS. they are working locally for >>>> their sites. >>>> >>>> Can i have each 3 sites to have other location ACS servers to act as >>>> backup of their primary ACS is not working . >>>> >>>> I want to know this for all the 3 AAA ? >>>> >>>> >>>> this question is for ROUTERS /SWITCHES/ ASA FIREWALLS ? >>>> >>>> i know all CISCO ROUTERS / ASA FIREWALLS / SWITCHES L3 would support it >>>> , but want to know if i have more than 1 ACS server to act as >>>> fallback...for >>>> primary ACS. >>>> >>>> note: I am not asking for a fallback to local daabase, i am asking for >>>> tacacs primary and tacacs secondary and tacacs tertiary ! hope i am clear >>>> here !!!! >>>> >>>> >>>> >>>> I am a regular reader of the forum , but just registered and did my >>>> first post !!!! >>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > > -- > *Name: Kamran Shakil** > > CCIE Security # 28832 > * > http://linkedin.com/in/kamranshakil > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
