Tacacs Authentication - VRF ?

Unanswered Question
Nov 20th, 2007

Hi !

Our Management LAN for accessing the switch is reachable through a VRF.

I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".

This vlxxx is member of this Managment-VRF.

But the switch does NOT send any TACACS request through that particular VRF.

Could you plz help me ?

thx

Hans

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mark Pottebaum Fri, 11/30/2007 - 09:11

I'm having the same problem on a Catalyst 3750 switch. Does anyone know of a solution?

chrisserafin Thu, 11/20/2008 - 09:50

I'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin

The config is as follows:

aaa new-model

!

!

aaa group server tacacs+ TACACSGROUP

server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156

ip vrf forwarding XXXX-General

ip tacacs source-interface GigabitEthernet0/0.9

!

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

ip vrf XXXX-General

rd 1:10

route-target export 1:10

route-target import 1:10

!

ip vrf XXXX-Guest

rd 1:30

route-target export 1:30

route-target import 1:30

!

ip vrf XXXX-Voice

rd 1:20

route-target export 1:20

route-target import 1:20

interface GigabitEthernet0/0

description port21-switch(10.27.1.30)-trunk

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip vrf forwarding XXXX-General

ip address 10.27.1.1 255.255.0.0

!

interface GigabitEthernet0/0.2

encapsulation dot1Q 172

ip vrf forwarding XXXX-Guest

ip address 172.16.27.1 255.255.255.0

!

interface GigabitEthernet0/0.9

encapsulation dot1Q 9

ip vrf forwarding XXXX-General

ip address 10.235.30.1 255.255.255.0

h323-gateway voip bind srcaddr 10.235.30.1

interface Serial0/0/0:1

description Sprint MPLS

no ip address

encapsulation frame-relay

frame-relay lmi-type ansi

service-policy output WAN-INGRESS

!

interface Serial0/0/0:1.301 point-to-point

ip vrf forwarding XXXX-General

ip address 10.150.1.1 255.255.255.240

frame-relay interface-dlci 301

!

interface Serial0/0/0:1.401 point-to-point

ip vrf forwarding XXXX-Voice

ip address 10.151.1.1 255.255.255.240

frame-relay interface-dlci 401

!

interface Serial0/0/0:1.501 point-to-point

ip vrf forwarding XXXX-Guest

ip address 10.152.1.1 255.255.255.240

frame-relay interface-dlci 501

router eigrp 100

no auto-summary

!

address-family ipv4 vrf XXXX-Voice

auto-summary

autonomous-system 20

exit-address-family

!

address-family ipv4 vrf XXXX-Guest

network 172.16.0.0

auto-summary

autonomous-system 30

exit-address-family

!

address-family ipv4 vrf XXXX-General

redistribute bgp 65001 metric 10000 100 255 1 1500

network 10.27.0.0 0.0.255.255

no auto-summary

autonomous-system 2

exit-address-family

!

router bgp 65001

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf XXXX-Voice

neighbor 10.151.1.2 remote-as 1803

neighbor 10.151.1.2 password 7 153E0xxxxx3627

neighbor 10.151.1.2 version 4

neighbor 10.151.1.2 activate

no synchronization

exit-address-family

!

address-family ipv4 vrf XXXX-Guest

neighbor 10.152.1.2 remote-as 1803

neighbor 10.152.1.2 password 7 1062001xxx318180138

neighbor 10.152.1.2 version 4

neighbor 10.152.1.2 activate

no synchronization

exit-address-family

!

address-family ipv4 vrf XXXX-General

neighbor 10.150.1.2 remote-as 1803

neighbor 10.150.1.2 password 7 07232xxxx41816031719

neighbor 10.150.1.2 version 4

neighbor 10.150.1.2 activate

no synchronization

network 10.27.0.0 mask 255.255.0.0

network 10.235.30.0 mask 255.255.255.0

exit-address-family

!

ip tacacs source-interface GigabitEthernet0/0.9

tacacs-server host 10.1.2.49

tacacs-server directed-request

tacacs-server key 7 080Cxxxxxxxxxx

Any insight would be great.

[email protected]

Chris Serafin

chrisserafin Thu, 11/20/2008 - 12:45

Fixed it!:

aaa new-model

aaa group server tacacs+ TACACSGROUP

server-private 10.1.2.149 port 49 key 7 002906xxxA03

ip vrf forwarding Chmbr-General ! This is to be omitted for devices without VRF's

ip tacacs source-interface GigabitEthernet0/0.9

!

aaa authentication login default group TACACSGROUP local

aaa authentication login console group TACACSGROUP local

aaa accounting exec default start-stop group TACACSGROUP

aaa accounting commands 1 default start-stop group TACACSGROUP

aaa accounting commands 15 default start-stop group TACACSGROUP

aaa accounting connection default start-stop group TACACSGROUP

aaa accounting system default start-stop group TACACSGROUP

!

aaa session-id common

ip tacacs source-interface GigabitEthernet0/0.9

tacacs-server host 10.1.2.149

tacacs-server directed-request

tacacs-server key 7 09615x02567A7B372E

NOTHING on the VTY interfaces.

Actions

This Discussion