11-20-2007 04:50 AM - edited 02-21-2020 01:48 AM
Hi !
Our Management LAN for accessing the switch is reachable through a VRF.
I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".
This vlxxx is member of this Managment-VRF.
But the switch does NOT send any TACACS request through that particular VRF.
Could you plz help me ?
thx
Hans
11-20-2007 09:15 AM
TACACS+ Aware VRF is supported from 12.3(7)T and higher on the IOS Routers.
Please refer the below URL for details:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080434619.html
If you are talking about a Cat6500, then this feature is not supported as of today.
I hope it helps.
Regards,
Arul
** Please rate if the info helps **
11-30-2007 09:11 AM
I'm having the same problem on a Catalyst 3750 switch. Does anyone know of a solution?
11-20-2008 09:50 AM
I'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin
The config is as follows:
aaa new-model
!
!
aaa group server tacacs+ TACACSGROUP
server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156
ip vrf forwarding XXXX-General
ip tacacs source-interface GigabitEthernet0/0.9
!
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
ip vrf XXXX-General
rd 1:10
route-target export 1:10
route-target import 1:10
!
ip vrf XXXX-Guest
rd 1:30
route-target export 1:30
route-target import 1:30
!
ip vrf XXXX-Voice
rd 1:20
route-target export 1:20
route-target import 1:20
interface GigabitEthernet0/0
description port21-switch(10.27.1.30)-trunk
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding XXXX-General
ip address 10.27.1.1 255.255.0.0
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 172
ip vrf forwarding XXXX-Guest
ip address 172.16.27.1 255.255.255.0
!
interface GigabitEthernet0/0.9
encapsulation dot1Q 9
ip vrf forwarding XXXX-General
ip address 10.235.30.1 255.255.255.0
h323-gateway voip bind srcaddr 10.235.30.1
interface Serial0/0/0:1
description Sprint MPLS
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
service-policy output WAN-INGRESS
!
interface Serial0/0/0:1.301 point-to-point
ip vrf forwarding XXXX-General
ip address 10.150.1.1 255.255.255.240
frame-relay interface-dlci 301
!
interface Serial0/0/0:1.401 point-to-point
ip vrf forwarding XXXX-Voice
ip address 10.151.1.1 255.255.255.240
frame-relay interface-dlci 401
!
interface Serial0/0/0:1.501 point-to-point
ip vrf forwarding XXXX-Guest
ip address 10.152.1.1 255.255.255.240
frame-relay interface-dlci 501
router eigrp 100
no auto-summary
!
address-family ipv4 vrf XXXX-Voice
auto-summary
autonomous-system 20
exit-address-family
!
address-family ipv4 vrf XXXX-Guest
network 172.16.0.0
auto-summary
autonomous-system 30
exit-address-family
!
address-family ipv4 vrf XXXX-General
redistribute bgp 65001 metric 10000 100 255 1 1500
network 10.27.0.0 0.0.255.255
no auto-summary
autonomous-system 2
exit-address-family
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf XXXX-Voice
neighbor 10.151.1.2 remote-as 1803
neighbor 10.151.1.2 password 7 153E0xxxxx3627
neighbor 10.151.1.2 version 4
neighbor 10.151.1.2 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf XXXX-Guest
neighbor 10.152.1.2 remote-as 1803
neighbor 10.152.1.2 password 7 1062001xxx318180138
neighbor 10.152.1.2 version 4
neighbor 10.152.1.2 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf XXXX-General
neighbor 10.150.1.2 remote-as 1803
neighbor 10.150.1.2 password 7 07232xxxx41816031719
neighbor 10.150.1.2 version 4
neighbor 10.150.1.2 activate
no synchronization
network 10.27.0.0 mask 255.255.0.0
network 10.235.30.0 mask 255.255.255.0
exit-address-family
!
ip tacacs source-interface GigabitEthernet0/0.9
tacacs-server host 10.1.2.49
tacacs-server directed-request
tacacs-server key 7 080Cxxxxxxxxxx
Any insight would be great.
Chris Serafin
11-20-2008 12:45 PM
Fixed it!:
aaa new-model
aaa group server tacacs+ TACACSGROUP
server-private 10.1.2.149 port 49 key 7 002906xxxA03
ip vrf forwarding Chmbr-General ! This is to be omitted for devices without VRF's
ip tacacs source-interface GigabitEthernet0/0.9
!
aaa authentication login default group TACACSGROUP local
aaa authentication login console group TACACSGROUP local
aaa accounting exec default start-stop group TACACSGROUP
aaa accounting commands 1 default start-stop group TACACSGROUP
aaa accounting commands 15 default start-stop group TACACSGROUP
aaa accounting connection default start-stop group TACACSGROUP
aaa accounting system default start-stop group TACACSGROUP
!
aaa session-id common
ip tacacs source-interface GigabitEthernet0/0.9
tacacs-server host 10.1.2.149
tacacs-server directed-request
tacacs-server key 7 09615x02567A7B372E
NOTHING on the VTY interfaces.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: