Aaa Server Distribution - Cisco MDS 9000 Series Configuration Manual
Security
Hide thumbs
Also See for MDS 9000 Series:
- Command reference manual (1464 pages) ,
- Configuration manual (344 pages) ,
- Troubleshooting manual (161 pages)
Table of Contents
Advertisement
About Bypassing a Nonresponsive Server
Step 4
switch(config-tacacs+)# server ServerA
Configures ServerA to be tried first within the server group called the TacacsServer1.
Tip
Step 5
switch(config-tacacs+)# server ServerB
Configures ServerB to be tried second within the server group TacacsServer1.
Step 6
switch(config-tacacs+)# no server ServerB
(Optional) Deletes ServerB within the TacacsServer1 list of servers.
Step 7
switch(config-tacacs+)# deadtime 30
Configures the monitoring dead time to 30 minutes. The range is 0 through 1440.
Note
Step 8
switch(config-tacacs+)# no deadtime 30
(Optional) Reverts to the default value (0 minutes).
Note
About Bypassing a Nonresponsive Server
As of Cisco SAN-OS Release 3.0(1), you can bypass a nonresponsive AAA server within a server group. If
the switch detects a nonresponsive server, it will bypass that server when authenticating users. Use this feature
to minimize login delays caused by a faulty server. Instead of sending a request to a nonresponsive server and
waiting for the authentication request to timeout, the switch sends the authentication request to the next server
in the server group. If there are no other responding servers in the server group, the switch continues to attempt
authentications against the nonresponsive server.
AAA Server Distribution
Configuration for RADIUS and TACACS+ AAA on an MDS switch can be distributed using the Cisco Fabric
Services (CFS). The distribution is disabled by default (see the Cisco MDS 9000 Family NX-OS System
Management Configuration Guide and the Cisco Fabric Manager System Management Configuration Guide).
After enabling the distribution, the first server or global configuration starts an implicit session. All server
configuration commands entered thereafter are stored in a temporary database and applied to all switches in
the fabric (including the originating one) when you explicitly commit the database. The various server and
global parameters are distributed, except the server and global keys. These keys are unique secrets to a switch
and should not be shared with other switches.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
82
If the specified TACACS+ server is not found, configure it using the tacacs-server host command
and retry this command.
If the dead-time interval for an individual TACACS+ server is greater than 0, that value takes
precedence over the value set for the server group.
If the dead-time interval for both the TACACS+ server group and an individual TACACS+ server
in the TACACS+ server group is set to 0, the switch does not mark the TACACS+ server as dead
when it is found to be unresponsive by periodic monitoring. Also, the switch does not perform dead
server monitoring for that TACACS+ server. (See the
Parameters, on page 67
section).
Configuring Security Features on an External AAA Server
Configuring TACACS+ Server Monitoring
Advertisement
Chapters
Table of Contents
