11-20-2007 04:50 AM - edited 02-21-2020 01:48 AM
Hi !
Our Management LAN for accessing the switch is reachable through a VRF.
I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".
This vlxxx is member of this Managment-VRF.
But the switch does NOT send any TACACS request through that particular VRF.
Could you plz help me ?
thx
Hans
11-20-2007 09:15 AM
TACACS+ Aware VRF is supported from 12.3(7)T and higher on the IOS Routers.
Please refer the below URL for details:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080434619.html
If you are talking about a Cat6500, then this feature is not supported as of today.
I hope it helps.
Regards,
Arul
** Please rate if the info helps **
11-30-2007 09:11 AM
I'm having the same problem on a Catalyst 3750 switch. Does anyone know of a solution?
11-20-2008 09:50 AM
I'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin
The config is as follows:
aaa new-model
!
!
aaa group server tacacs+ TACACSGROUP
server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156
ip vrf forwarding XXXX-General
ip tacacs source-interface GigabitEthernet0/0.9
!
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
ip vrf XXXX-General
rd 1:10
route-target export 1:10
route-target import 1:10
!
ip vrf XXXX-Guest
rd 1:30
route-target export 1:30
route-target import 1:30
!
ip vrf XXXX-Voice
rd 1:20
route-target export 1:20
route-target import 1:20
interface GigabitEthernet0/0
description port21-switch(10.27.1.30)-trunk
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding XXXX-General
ip address 10.27.1.1 255.255.0.0
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 172
ip vrf forwarding XXXX-Guest
ip address 172.16.27.1 255.255.255.0
!
interface GigabitEthernet0/0.9
encapsulation dot1Q 9
ip vrf forwarding XXXX-General
ip address 10.235.30.1 255.255.255.0
h323-gateway voip bind srcaddr 10.235.30.1
interface Serial0/0/0:1
description Sprint MPLS
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
service-policy output WAN-INGRESS
!
interface Serial0/0/0:1.301 point-to-point
ip vrf forwarding XXXX-General
ip address 10.150.1.1 255.255.255.240
frame-relay interface-dlci 301
!
interface Serial0/0/0:1.401 point-to-point
ip vrf forwarding XXXX-Voice
ip address 10.151.1.1 255.255.255.240
frame-relay interface-dlci 401
!
interface Serial0/0/0:1.501 point-to-point
ip vrf forwarding XXXX-Guest
ip address 10.152.1.1 255.255.255.240
frame-relay interface-dlci 501
router eigrp 100
no auto-summary
!
address-family ipv4 vrf XXXX-Voice
auto-summary
autonomous-system 20
exit-address-family
!
address-family ipv4 vrf XXXX-Guest
network 172.16.0.0
auto-summary
autonomous-system 30
exit-address-family
!
address-family ipv4 vrf XXXX-General
redistribute bgp 65001 metric 10000 100 255 1 1500
network 10.27.0.0 0.0.255.255
no auto-summary
autonomous-system 2
exit-address-family
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf XXXX-Voice
neighbor 10.151.1.2 remote-as 1803
neighbor 10.151.1.2 password 7 153E0xxxxx3627
neighbor 10.151.1.2 version 4
neighbor 10.151.1.2 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf XXXX-Guest
neighbor 10.152.1.2 remote-as 1803
neighbor 10.152.1.2 password 7 1062001xxx318180138
neighbor 10.152.1.2 version 4
neighbor 10.152.1.2 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf XXXX-General
neighbor 10.150.1.2 remote-as 1803
neighbor 10.150.1.2 password 7 07232xxxx41816031719
neighbor 10.150.1.2 version 4
neighbor 10.150.1.2 activate
no synchronization
network 10.27.0.0 mask 255.255.0.0
network 10.235.30.0 mask 255.255.255.0
exit-address-family
!
ip tacacs source-interface GigabitEthernet0/0.9
tacacs-server host 10.1.2.49
tacacs-server directed-request
tacacs-server key 7 080Cxxxxxxxxxx
Any insight would be great.
Chris Serafin
11-20-2008 12:45 PM
Fixed it!:
aaa new-model
aaa group server tacacs+ TACACSGROUP
server-private 10.1.2.149 port 49 key 7 002906xxxA03
ip vrf forwarding Chmbr-General ! This is to be omitted for devices without VRF's
ip tacacs source-interface GigabitEthernet0/0.9
!
aaa authentication login default group TACACSGROUP local
aaa authentication login console group TACACSGROUP local
aaa accounting exec default start-stop group TACACSGROUP
aaa accounting commands 1 default start-stop group TACACSGROUP
aaa accounting commands 15 default start-stop group TACACSGROUP
aaa accounting connection default start-stop group TACACSGROUP
aaa accounting system default start-stop group TACACSGROUP
!
aaa session-id common
ip tacacs source-interface GigabitEthernet0/0.9
tacacs-server host 10.1.2.149
tacacs-server directed-request
tacacs-server key 7 09615x02567A7B372E
NOTHING on the VTY interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide