Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2965
Views
15
Helpful
4
Replies

Tacacs Authentication - VRF ?

schimeha1977
Level 1
Level 1

‎11-20-2007 04:50 AM - edited ‎02-21-2020 01:48 AM

Hi !

Our Management LAN for accessing the switch is reachable through a VRF.

I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".

This vlxxx is member of this Managment-VRF.

But the switch does NOT send any TACACS request through that particular VRF.

Could you plz help me ?

thx

Hans

0 Helpful
4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

‎11-20-2007 09:15 AM

TACACS+ Aware VRF is supported from 12.3(7)T and higher on the IOS Routers.

Please refer the below URL for details:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080434619.html

If you are talking about a Cat6500, then this feature is not supported as of today.

I hope it helps.

Regards,

Arul

** Please rate if the info helps **

Mark Pottebaum
Level 1
Level 1

‎11-30-2007 09:11 AM

I'm having the same problem on a Catalyst 3750 switch. Does anyone know of a solution?

0 Helpful

chrisserafin
Level 1
Level 1
In response to Mark Pottebaum

‎11-20-2008 09:50 AM

I'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin

The config is as follows:

aaa new-model

!

!

aaa group server tacacs+ TACACSGROUP

server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156

ip vrf forwarding XXXX-General

ip tacacs source-interface GigabitEthernet0/0.9

!

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

ip vrf XXXX-General

rd 1:10

route-target export 1:10

route-target import 1:10

!

ip vrf XXXX-Guest

rd 1:30

route-target export 1:30

route-target import 1:30

!

ip vrf XXXX-Voice

rd 1:20

route-target export 1:20

route-target import 1:20

interface GigabitEthernet0/0

description port21-switch(10.27.1.30)-trunk

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip vrf forwarding XXXX-General

ip address 10.27.1.1 255.255.0.0

!

interface GigabitEthernet0/0.2

encapsulation dot1Q 172

ip vrf forwarding XXXX-Guest

ip address 172.16.27.1 255.255.255.0

!

interface GigabitEthernet0/0.9

encapsulation dot1Q 9

ip vrf forwarding XXXX-General

ip address 10.235.30.1 255.255.255.0

h323-gateway voip bind srcaddr 10.235.30.1

interface Serial0/0/0:1

description Sprint MPLS

no ip address

encapsulation frame-relay

frame-relay lmi-type ansi

service-policy output WAN-INGRESS

!

interface Serial0/0/0:1.301 point-to-point

ip vrf forwarding XXXX-General

ip address 10.150.1.1 255.255.255.240

frame-relay interface-dlci 301

!

interface Serial0/0/0:1.401 point-to-point

ip vrf forwarding XXXX-Voice

ip address 10.151.1.1 255.255.255.240

frame-relay interface-dlci 401

!

interface Serial0/0/0:1.501 point-to-point

ip vrf forwarding XXXX-Guest

ip address 10.152.1.1 255.255.255.240

frame-relay interface-dlci 501

router eigrp 100

no auto-summary

!

address-family ipv4 vrf XXXX-Voice

auto-summary

autonomous-system 20

exit-address-family

!

address-family ipv4 vrf XXXX-Guest

network 172.16.0.0

auto-summary

autonomous-system 30

exit-address-family

!

address-family ipv4 vrf XXXX-General

redistribute bgp 65001 metric 10000 100 255 1 1500

network 10.27.0.0 0.0.255.255

no auto-summary

autonomous-system 2

exit-address-family

!

router bgp 65001

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf XXXX-Voice

neighbor 10.151.1.2 remote-as 1803

neighbor 10.151.1.2 password 7 153E0xxxxx3627

neighbor 10.151.1.2 version 4

neighbor 10.151.1.2 activate

no synchronization

exit-address-family

!

address-family ipv4 vrf XXXX-Guest

neighbor 10.152.1.2 remote-as 1803

neighbor 10.152.1.2 password 7 1062001xxx318180138

neighbor 10.152.1.2 version 4

neighbor 10.152.1.2 activate

no synchronization

exit-address-family

!

address-family ipv4 vrf XXXX-General

neighbor 10.150.1.2 remote-as 1803

neighbor 10.150.1.2 password 7 07232xxxx41816031719

neighbor 10.150.1.2 version 4

neighbor 10.150.1.2 activate

no synchronization

network 10.27.0.0 mask 255.255.0.0

network 10.235.30.0 mask 255.255.255.0

exit-address-family

!

ip tacacs source-interface GigabitEthernet0/0.9

tacacs-server host 10.1.2.49

tacacs-server directed-request

tacacs-server key 7 080Cxxxxxxxxxx

Any insight would be great.

cserafin@rkon.com

Chris Serafin

chrisserafin
Level 1
Level 1
In response to chrisserafin

‎11-20-2008 12:45 PM

Fixed it!:

aaa new-model

aaa group server tacacs+ TACACSGROUP

server-private 10.1.2.149 port 49 key 7 002906xxxA03

ip vrf forwarding Chmbr-General ! This is to be omitted for devices without VRF's

ip tacacs source-interface GigabitEthernet0/0.9

!

aaa authentication login default group TACACSGROUP local

aaa authentication login console group TACACSGROUP local

aaa accounting exec default start-stop group TACACSGROUP

aaa accounting commands 1 default start-stop group TACACSGROUP

aaa accounting commands 15 default start-stop group TACACSGROUP

aaa accounting connection default start-stop group TACACSGROUP

aaa accounting system default start-stop group TACACSGROUP

!

aaa session-id common

ip tacacs source-interface GigabitEthernet0/0.9

tacacs-server host 10.1.2.149

tacacs-server directed-request

tacacs-server key 7 09615x02567A7B372E

NOTHING on the VTY interfaces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card