Tacacs per vrf no supported on my router, does a gre tunnel would work?

Unanswered Question
Mar 3rd, 2009

Hi,

Basically the problem is that I am working with old routers, checked already on feature navigator an the following commands are not supported on the router to communicate to a TACACS server that resides on a vrf:

-----------------------------------------

Configuring Per VRF for TACACS+ Servers: Example

The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:

aaa group server tacacs+ tacacs1

server-private 10.1.1.1 port 19 key cisco

ip vrf forwarding cisco

ip tacacs source-interface Loopback0

ip vrf cisco

rd 100:1

interface Loopback0

ip address 10.0.0.2 255.0.0.0

ip vrf forwarding cisco

-----------------------------------------

Basically I can not support all the above, however I was thinking of bypassing the command creating a GRE tunnel, I just need a confirmation if the following would work, if not I would appreciated that someone can point me into a better direction:

ON BRANCH ROUTER:

int l0

ip add 1.1.1.1 255.255.255.0

no shut

int tun10

ip add 2.2.2.1 255.255.255.0

ip vrf forwarding cisco

tun so l0

tun dest [ip add of router directly connected to tacacs server]

ip tacacs source-interface l0

tacacs-server host 10.10.10.1

tacacs-server key 7 cisco

ON REMOTE ROUTER:

int l0

ip add 3.3.3.3 255.255.255.0

no shut

int tun10

ip add 2.2.2.2 255.255.255.0

ip vrf forwarding cisco

tunn so l0

tunn dest [ip add of branch router]

Attached is some real information, the ip address of the real tacacs server is 10.20.30.61.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Mon, 03/09/2009 - 09:11

The Per VRF for TACACS+ Servers feature allows per VRF AAA to be configured on TACACS+ servers. Prior to Cisco IOS Release 12.3(7)T, this functionality was available only on RADIUS servers.

luismoondo Mon, 03/09/2009 - 12:51

Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.

My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?

I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.

Thanks and sorry if I didn't make self clear at the beginning of my first post.

Actions

This Discussion