[tac_plus] Re: tacacs+ redundancy

[Andy Saykao]

Hi Daniel,

I understand the use of the "tacacs-server timeout" but this still
involves the router having to contact the first server, wait for time
out and then try the second server. I know IOS has some mechanism to
mark a radius server dead and use the other radius servers configured,
but not sure if there's such a mechanism to mark the first tacacs+
server as being dead and to deal directly with the second tacacs+
servers so you don't have to wait for the timeout of the first tacacs+
server.

Cheers.

Andy

On Wed, Dec 16, 2009 at 2:41 AM, Schmidt, Daniel
<dan.schmidt at uplinkdata.com> wrote:
> tacacs-server timeout
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao
> Sent: Monday, December 14, 2009 9:01 PM
> To: tac_plus at shrubbery.net
> Subject: [tac_plus] tacacs+ redundancy
>
> I understand you can configure a aaa group so that if the first
> tac_plus server fails to respond, it moves onto the second server.
>
> aaa group server tacacs+ TacPlusServers
>  server 1.2.3.4
>  server 1.2.3.5
> !
> tacacs-server host 1.2.3.4
> tacacs-server host 1.2.3.5
>
> Is there any mechanism/configuration possible where the cisco device
> marks the first server as being dead/unresponsive and uses the second
> server instead until such times as the first server is online again?
> It seems that when the first server dies, you have to wait for the
> timeout period to expire before trying the second server. Would
> certainly be more speedy if there was a way that the IOS could mark
> the first server as being dead and re-try it at a later time while in
> the mean time logging/auth-ing everything to the second server.
>
> Thanks.
>
> Andy
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>