Re: OT: PIX: AAA TACACS Failover

I'm not very good with the PIX, but if they're a pair I'd just reboot.
Especially, if they're a pair. Just reboot the backup make sure it worked
and then fail to it and reboot the other one and leave it on the backup.
Why re-invent the stone wheel when everyone else is running on
steel-belted radials. I'm more of a router jockey so this is just my
opinion.
Keegan

From:
Ryan West <rwest_at_zyedge.com>
To:
Cisco certification <ccielab_at_groupstudy.com>
Date:
08/01/2009 08:51 AM
Subject:
OT: PIX: AAA TACACS Failover
Sent by:
nobody_at_groupstudy.com

So, I have this situation...

A customer had a billing issue and will not have their same IP block
returned to them and they were housing their ACS on that subnet. Local
authentication is working fine and I'm able to change all the TACACS info
to point to the new location. The routers and ASA's are easy to get
re-configured. The problem is the PIX's (another reason to trash the
506E, besides just being ugly and non-upgradeable), I can't seem to figure
out a sequence that gets AAA to reset itself. Once the failover to the
LOCAL database takes place, it does not try to remove the stale server and
re-auth with the new one.

Here is the sequence I'm using:

no aaa authorization command TACACS LOCAL
no aaa authentication http console TACACS LOCAL
no aaa authentication telnet console TACACS LOCAL
no aaa authentication enable console TACACS LOCAL
no aaa authentication ssh console TACACS LOCAL
no aaa-server TACACS (outside) host x.x.x.x IamYourTacacsKEY timeout 10
aaa-server TACACS (outside) host x.x.x.x IamYourTacacsKEY timeout 5
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL

At this point, I can still only login using the LOCAL db. The only 'fix'
at this point is to either wait for some timer that I'm not familiar with,
nor have the patience for or reboot. After a reboot, all is well. Any
ideas?

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Sat Aug 01 2009 - 14:00:48 ART