understanding tacacs-server directed-request command
I find people getting confused on understanding command “tacacs-server directed-request” on Cisco IOS routers. Lets have a look how does it behaves. Suppose we have two tacacs servers configured on a router.
tacacs-server host 10.0.0.1
tacacs-server host 172.16.0.1
The router will use the IP address which is first appearing in the configuration. In this case it will use 10.0.0.1 and then router will create a session with Tacacs server and user will be authenticated. If first Tacacs IP is not reachable then router will use the other Tacacs IP for authentication.
The usage case of this command “tacacs-server directed-request” is that, it allows a user to specify a particular Tacacs IP address for authentication instead of using the first Tacacs IP address appeared in the configuration. It also applies for authorization and Accounting as well along with Authentication.
Now suppose we also have “tacacs-server directed-request” command with two Tacacs server, one is used as company’s Tacacs Server and other is managed by its Service Provider.
tacacs-server directed-request
tacacs-server host 10.0.0.1
tacacs-server host 172.16.0.1
In this case Company users will be able to login as usual but the service provider need to contact the device as:
[Service_Provider_Machine]$ telnet router_ipUsername: XYZ@172.16.0.1 ===XYZ is the username for authentication with Tacacs IP address 172.16.0.1
Password:
Router>
I hope this would help you in understanding the command “tacacs-server directed-request” on Cisco Routers.
Deepak Sharma, CCIE#37340
admin administrator
1 Comment so far
Vinod kumarPosted on2:28 pm - Jan 18, 2016
Thanks for this wonderful explanation, I was really confused about this command. Thanks!!
About the author