RE: Question regarding tacacs

Sadiq,

> -----Original Message-----
> Sent: Wednesday, April 21, 2010 7:14 AM
> To: Naufal Jamal
> Cc: Sadiq Yakasai; ccielab_at_groupstudy.com
> Subject: Re: Question regarding tacacs
>
> Hi,
>
> On Wed, Apr 21, 2010 at 8:56 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> > If you change the IP address of the TACACS interface, that will effectively
> > make the device unknown to ACS. This means that the next time you try to
> > authenticate (and get access to the device in question), it will not have
> > connectivity to the AAA server.
> >
> > I dont think this will affect authenticated sessions on the device though.
> > So if you are logged in, you wont be booted off the box. So you can have a
> > chance to make all necessary corrections before your 'resignation letter"
> > comes along... :-)
>
> I mostly agree, but --
>
> Whether the change of IP affects connectivity to the TACACS host
> depends on a number of things: IP connectivity between the device and
> the host, how the device is provisioned in the TACACS config (note the
> OP did not mention ACS), etc. If the device has been set up
> explicitly (with a specific IP, as distinct from a wildcard), I agree,
> TACACS connections will come from an 'unknown' IP and will likely be
> ignored/dumped.
>
> The most likely hiccup I can see is if command authorization or
> command accounting is configured, especially if configured for
> commands issued in config mode. It shouldn't be a big problem though,
> it'll just make things a bit slow until the device is talking properly
> to the TACACS server.
>
> To the OP: I would just ensure you had a second session open, in
> config mode, just in case something goes wrong in the first session.
> If you have SNMP r/w access to the device, you can get yourself out of
> trouble by instructing the router to copy a config snippet from a TFTP
> server into running config (this is left as an exercise for the reader
> but it's saved me lots of times). There's always "reload in n" as
> well.
>

You already have a lot of great information here. One thing to add though, if you're using ACS, you can always put the new temporary address (egress interface) and your expected new address. If you're running config-commands, you may want to just remove this before your upgrade and add it back once you've verified your work is complete. I could be wrong, but I think the default timeout for TACACS+ is 4 seconds, so you'll be waiting for each command a while :)

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 21 2010 - 12:25:25 ART