RE: PIX: AAA TACACS Failover

Patience ... Roughly 5 minutes seems to clear up the process and it will begin using the new servers.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ryan West
Sent: Saturday, August 01, 2009 8:49 AM
To: Cisco certification
Subject: OT: PIX: AAA TACACS Failover

So, I have this situation...

A customer had a billing issue and will not have their same IP block returned to them and they were housing their ACS on that subnet. Local authentication is working fine and I'm able to change all the TACACS info to point to the new location. The routers and ASA's are easy to get re-configured. The problem is the PIX's (another reason to trash the 506E, besides just being ugly and non-upgradeable), I can't seem to figure out a sequence that gets AAA to reset itself. Once the failover to the LOCAL database takes place, it does not try to remove the stale server and re-auth with the new one.

Here is the sequence I'm using:

no aaa authorization command TACACS LOCAL
no aaa authentication http console TACACS LOCAL
no aaa authentication telnet console TACACS LOCAL
no aaa authentication enable console TACACS LOCAL
no aaa authentication ssh console TACACS LOCAL
no aaa-server TACACS (outside) host x.x.x.x IamYourTacacsKEY timeout 10
aaa-server TACACS (outside) host x.x.x.x IamYourTacacsKEY timeout 5
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL

At this point, I can still only login using the LOCAL db. The only 'fix' at this point is to either wait for some timer that I'm not familiar with, nor have the patience for or reboot. After a reboot, all is well. Any ideas?

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Sat Aug 01 2009 - 09:31:53 ART