Changing the TACACS+ Server

Use the following steps to change TACACS+ server configuration to avoid service interruption of authentication and authorization.
  1. Unconfigure the existing primary TACACS+ server.
    Note

    Note

    The command disable tacacs is not required while changing TACACS+ servers.

    If only a single TACACS+ server is configured, you must disable TACACS authorization (if enabled) before reconfiguring TACACS+ server:

    disable tacacs-authorization

    To unconfigure the existing primary TACACS+ server:

    unconfigure tacacs server [primary | secondary]

    Note

    Note

    After this step, TACACS+ will failover to secondary server.
  2. Configure the new primary TACACS+ server:

    configure tacacs [primary | secondary] server [host_ipaddr | host_ipV6addr | hostname] {tcp_port} client-ip [client_ipaddr | client_ipV6addr] {vr vr_name}

  3. Configure the shared-secret password for primary TACACS+ server:

    configure tacacs [primary | secondary] shared-secret {encrypted} string

    Note

    Note

    Only after configuring shared-secret password for primary server, TACACS+ will fallback to primary server from secondary.
  4. Unconfigure existing secondary TACACS+ server:

    unconfigure tacacs server [primary | secondary]

  5. Configure new secondary TACACS+ server:

    configure tacacs [primary | secondary] server [host_ipaddr | host_ipV6addr | hostname] {tcp_port} client-ip [client_ipaddr | client_ipV6addr] {vr vr_name}

  6. Configure shared-secret password for secondary TACACS+ server:

    configure tacacs [primary | secondary] shared-secret {encrypted} string