Configuration for RADIUS and TACACS+ AAA on a Cisco MDS switch can be distributed using the Cisco Fabric Services (CFS). The distribution is disabled by default.
After the distribution is enabled, the first server or global configuration starts an implicit session. All server configuration commands entered thereafter are stored in a temporary database and applied to all switches in the fabric (including the originating one) when you explicitly commit the database. The various server and global parameters are distributed, except the server and global keys. These keys are unique secrets to a switch and should not be shared with other switches.
Only switches where distribution is enabled can participate in the distribution activity. A distribution session starts the moment you begin a RADIUS/TACACS+ server or global configuration.
Radius configuration distribution can be configured using the radius distribute command, and TACACS+ server distribution can be configured using the tacacs+ distribute command.
After the implicit distribution session has started, you can check the session status using the show tacacs+ distribution status and show radius distribution status commands for TACACS+ and RADIUS server distribution, respectively.
After you issue the first configuration command related to AAA servers, all server and global configurations that are created (including the configuration that caused the distribution session start) are stored in a temporary buffer, not in the running configuration. To commit the configuration changes, you can use the radius commit or tacacs+ commit command.
Discarding the distribution of a session in progress causes the configuration in the temporary buffer to be dropped, and the distribution is not applied. To discard the RADIUS session in-progress distribution, use the radius abort or tacacs+ abort command. To clear the ongoing CFS distribution session (if any) and to unlock the fabric for the RADIUS or TACACS+ feature, use the clear radius session or clear tacacs+ session command.
Merging RADIUS and TACACS+ Configurations
The RADIUS and TACACS+ server and global configuration are merged when two fabrics merge. The merged configuration is applied to CFS distribution-enabled switches.
When merging the fabric, be aware of the following conditions:
The server groups are not merged.
The server and global keys are not changed during the merge.
The merged configuration contains all servers found on all CFS-enabled switches.
The timeout and retransmit parameters of the merged configuration are the largest values found per server and global configuration.
Note
If a conflict occurs between two switches in the server ports that are configured, the merge fails.
Use the show radius distribution status or show tacacs+ distribution status command to view the status of the RADIUS or TACACS+ fabric merge.