TACACS+ through a VPN

matthewmphc · ‎08-29-2007

I have a VPN site to site tunnel between a 3000 series concentrator and a Cisco router, with the router being the remote end. I would like to be able to use TACACS for my AAA services on the router. The routers inside interface address is 172.16.1.1, and my crypto map acl allows the entire 172.16.1.0 255.255.255.0 subnet to talk to the head end, with the reverse crypto map acl on the concentrator. Traffic passes fine, but if I try to telnet to the router, its not prompting me for TACACS. I'm pretty sure my TACACS config is ok. Should I be able to use TACACS across the vpn. The TACACS server is on the head end, by the way, and its address is within the crypto map acl.

mattiaseriksson · ‎08-29-2007

Have you configured ip tacacs source-interface on the router?

matthewmphc · ‎08-29-2007

yes, I have that on. Strange this is that the switch on the remote end, which is directly connected to this router, does its TACACS just fine. I did a debug on the TACACS and attempted to login to the router, this is what it said.

Aug 29 11:01:52.086: TPLUS: Queuing AAA Authentication request 20 for processing

Aug 29 11:01:52.086: TPLUS: processing authentication start request id 20

Aug 29 11:01:52.086: TPLUS: Authentication start packet created for 20()

Aug 29 11:01:52.086: TPLUS: Using server 10.1.100.30

Aug 29 11:01:52.086: TPLUS(00000014)/0/NB_WAIT/83950DC4: Started 5 sec timeout

Aug 29 11:01:57.086: TPLUS(00000014)/0/NB_WAIT/83950DC4: timed out

Aug 29 11:01:57.086: TPLUS(00000014)/0/NB_WAIT/83950DC4: timed out, clean up

Aug 29 11:01:57.086: TPLUS(00000014)/0/83950DC4: Processing the reply packet

Aug 29 11:02:03.798: TPLUS: Queuing AAA Authentication request 20 for processing

Aug 29 11:02:03.798: TPLUS: processing authentication start request id 20

Aug 29 11:02:03.798: TPLUS: Authentication start packet created for 20()

Aug 29 11:02:03.798: TPLUS: Using server 10.1.100.30

Aug 29 11:02:03.798: TPLUS(00000014)/0/NB_WAIT/83950DC4: Started 5 sec timeout

Aug 29 11:02:08.798: TPLUS(00000014)/0/NB_WAIT/83950DC4: timed out

Aug 29 11:02:08.798: TPLUS(00000014)/0/NB_WAIT/83950DC4: timed out, clean up

Aug 29 11:02:08.798: TPLUS(00000014)/0/83950DC4: Processing the reply packet

mattiaseriksson · ‎08-29-2007

And you can't see any requests in the tacacs log file?

Then perhaps the best work around is to add the outside interface of the router to the crypto acl, and use that to source off the tacacs traffic.

matthewmphc · ‎08-29-2007

I don't know why I didn't think to look at the logs on the ACS. However, I just did and it comes up seeing the request as an "unknown NAS". I checked the network device group to make sure that this router was in it, and it is. I am using the LAN interface of the router as the ip of the network device in TACACS. If I change it to use the public address, I'll have to make static routing changes all over the network.

And I tried to add the public ip to the crypto map as you suggested, to no avail.

Is there a trick I can use to get this to work?

mattiaseriksson · ‎08-29-2007

If you see the unknown NAS message you need to verify that the AAA client is configured under the Network Configuration section, and that you have the right ip-address. That should be the problem.

Add the public ip to the crypto map will only work if you can do the required routing changes, you will also need to change the ip-address for the NAS in the ACS.

matthewmphc · ‎08-29-2007

thanks for all your help. I was able to find the issue. I had to change the ip tacacs source-interface to the VLAN interface of the router, rather than its WAN interface. Not sure why, but that seemed to do it.

mattiaseriksson · ‎08-29-2007

Well the reason is that source-interface specifies what ip address the router will use as source address when talking to the tacacs server, and obviously you want it to be that from the internal, vlan interface.

Good that you found it.