Tacacs Authentication - VRF ? - Cisco Community

2977

Views

15

Helpful

4

Replies

Hi !

Our Management LAN for accessing the switch is reachable through a VRF.

I tried to configure TACACS+ for User Authentication - by specifying "ip tacacs source-interface vlxxx".

This vlxxx is member of this Managment-VRF.

But the switch does NOT send any TACACS request through that particular VRF.

Could you plz help me ?

thx

Hans

4 Replies 4

TACACS+ Aware VRF is supported from 12.3(7)T and higher on the IOS Routers.

Please refer the below URL for details:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080434619.html

If you are talking about a Cat6500, then this feature is not supported as of today.

I hope it helps.

Regards,

Arul

** Please rate if the info helps **

I'm having the same problem on a Catalyst 3750 switch. Does anyone know of a solution?

I'm having the same issue with a router running: c2800nm-advipservicesk9-mz.124-15.T1.bin

The config is as follows:

aaa new-model

!

!

aaa group server tacacs+ TACACSGROUP

server-private 10.1.2.49 port 49 key 7 143A070718xxxxx26616572000156

ip vrf forwarding XXXX-General

ip tacacs source-interface GigabitEthernet0/0.9

!

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

ip vrf XXXX-General

rd 1:10

route-target export 1:10

route-target import 1:10

!

ip vrf XXXX-Guest

rd 1:30

route-target export 1:30

route-target import 1:30

!

ip vrf XXXX-Voice

rd 1:20

route-target export 1:20

route-target import 1:20

interface GigabitEthernet0/0

description port21-switch(10.27.1.30)-trunk

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip vrf forwarding XXXX-General

ip address 10.27.1.1 255.255.0.0

!

interface GigabitEthernet0/0.2

encapsulation dot1Q 172

ip vrf forwarding XXXX-Guest

ip address 172.16.27.1 255.255.255.0

!

interface GigabitEthernet0/0.9

encapsulation dot1Q 9

ip vrf forwarding XXXX-General

ip address 10.235.30.1 255.255.255.0

h323-gateway voip bind srcaddr 10.235.30.1

interface Serial0/0/0:1

description Sprint MPLS

no ip address

encapsulation frame-relay

frame-relay lmi-type ansi

service-policy output WAN-INGRESS

!

interface Serial0/0/0:1.301 point-to-point

ip vrf forwarding XXXX-General

ip address 10.150.1.1 255.255.255.240

frame-relay interface-dlci 301

!

interface Serial0/0/0:1.401 point-to-point

ip vrf forwarding XXXX-Voice

ip address 10.151.1.1 255.255.255.240

frame-relay interface-dlci 401

!

interface Serial0/0/0:1.501 point-to-point

ip vrf forwarding XXXX-Guest

ip address 10.152.1.1 255.255.255.240

frame-relay interface-dlci 501

router eigrp 100

no auto-summary

!

address-family ipv4 vrf XXXX-Voice

auto-summary

autonomous-system 20

exit-address-family

!

address-family ipv4 vrf XXXX-Guest

network 172.16.0.0

auto-summary

autonomous-system 30

exit-address-family

!

address-family ipv4 vrf XXXX-General

redistribute bgp 65001 metric 10000 100 255 1 1500

network 10.27.0.0 0.0.255.255

no auto-summary

autonomous-system 2

exit-address-family

!

router bgp 65001

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf XXXX-Voice

neighbor 10.151.1.2 remote-as 1803

neighbor 10.151.1.2 password 7 153E0xxxxx3627

neighbor 10.151.1.2 version 4

neighbor 10.151.1.2 activate

no synchronization

exit-address-family

!

address-family ipv4 vrf XXXX-Guest

neighbor 10.152.1.2 remote-as 1803

neighbor 10.152.1.2 password 7 1062001xxx318180138

neighbor 10.152.1.2 version 4

neighbor 10.152.1.2 activate

no synchronization

exit-address-family

!

address-family ipv4 vrf XXXX-General

neighbor 10.150.1.2 remote-as 1803

neighbor 10.150.1.2 password 7 07232xxxx41816031719

neighbor 10.150.1.2 version 4

neighbor 10.150.1.2 activate

no synchronization

network 10.27.0.0 mask 255.255.0.0

network 10.235.30.0 mask 255.255.255.0

exit-address-family

!

ip tacacs source-interface GigabitEthernet0/0.9

tacacs-server host 10.1.2.49

tacacs-server directed-request

tacacs-server key 7 080Cxxxxxxxxxx

Any insight would be great.

cserafin@rkon.com

Chris Serafin

Fixed it!:

aaa new-model

aaa group server tacacs+ TACACSGROUP

server-private 10.1.2.149 port 49 key 7 002906xxxA03

ip vrf forwarding Chmbr-General ! This is to be omitted for devices without VRF's

ip tacacs source-interface GigabitEthernet0/0.9

!

aaa authentication login default group TACACSGROUP local

aaa authentication login console group TACACSGROUP local

aaa accounting exec default start-stop group TACACSGROUP

aaa accounting commands 1 default start-stop group TACACSGROUP

aaa accounting commands 15 default start-stop group TACACSGROUP

aaa accounting connection default start-stop group TACACSGROUP

aaa accounting system default start-stop group TACACSGROUP

!

aaa session-id common

ip tacacs source-interface GigabitEthernet0/0.9

tacacs-server host 10.1.2.149

tacacs-server directed-request

tacacs-server key 7 09615x02567A7B372E

NOTHING on the VTY interfaces.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card