Hi,
On Wed, Apr 21, 2010 at 8:56 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> If you change the IP address of the TACACS interface, that will effectively
> make the device unknown to ACS. This means that the next time you try to
> authenticate (and get access to the device in question), it will not have
> connectivity to the AAA server.
>
> I dont think this will affect authenticated sessions on the device though.
> So if you are logged in, you wont be booted off the box. So you can have a
> chance to make all necessary corrections before your 'resignation letter"
> comes along... :-)
I mostly agree, but --
Whether the change of IP affects connectivity to the TACACS host
depends on a number of things: IP connectivity between the device and
the host, how the device is provisioned in the TACACS config (note the
OP did not mention ACS), etc. If the device has been set up
explicitly (with a specific IP, as distinct from a wildcard), I agree,
TACACS connections will come from an 'unknown' IP and will likely be
ignored/dumped.
The most likely hiccup I can see is if command authorization or
command accounting is configured, especially if configured for
commands issued in config mode. It shouldn't be a big problem though,
it'll just make things a bit slow until the device is talking properly
to the TACACS server.
To the OP: I would just ensure you had a second session open, in
config mode, just in case something goes wrong in the first session.
If you have SNMP r/w access to the device, you can get yourself out of
trouble by instructing the router to copy a config snippet from a TFTP
server into running config (this is left as an exercise for the reader
but it's saved me lots of times). There's always "reload in n" as
well.
cheers,
Dale
Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 21 2010 - 21:13:47 ART
This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART