explanation to "tacacs-server directed-request"
According to Cisco documentation "tacacs-server directed-request" command causes the router to split each username into two parts, separated by the @ symbol. The first part is the actual username used for authentication; the second part is the name of the TACACS server to send the request to. Disabling this feature causes the TACACS servers to be queried in order; the entire username string is used for authentication. As I understand, if TACACS+ asks for username and if one enters:
..then TACACS+ server at 10.10.10.1 is queried instead of first TACACS+ server specified in router configuration? In addition, 10.10.10.1 needs to be one of the servers listed in router configuration with "tacacs-server host" command?
Username: username@10.10.10.1 Password: R1#
..then TACACS+ server at 10.10.10.1 is queried instead of first TACACS+ server specified in router configuration? In addition, 10.10.10.1 needs to be one of the servers listed in router configuration with "tacacs-server host" command?