Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
2
Replies

Tacacs per vrf no supported on my router, does a gre tunnel would work?

luismoondo
Level 1
Level 1

‎03-03-2009 06:33 AM - edited ‎03-10-2019 04:22 PM

Hi,

Basically the problem is that I am working with old routers, checked already on feature navigator an the following commands are not supported on the router to communicate to a TACACS server that resides on a vrf:

-----------------------------------------

Configuring Per VRF for TACACS+ Servers: Example

The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:

aaa group server tacacs+ tacacs1

server-private 10.1.1.1 port 19 key cisco

ip vrf forwarding cisco

ip tacacs source-interface Loopback0

ip vrf cisco

rd 100:1

interface Loopback0

ip address 10.0.0.2 255.0.0.0

ip vrf forwarding cisco

-----------------------------------------

Basically I can not support all the above, however I was thinking of bypassing the command creating a GRE tunnel, I just need a confirmation if the following would work, if not I would appreciated that someone can point me into a better direction:

ON BRANCH ROUTER:

int l0

ip add 1.1.1.1 255.255.255.0

no shut

int tun10

ip add 2.2.2.1 255.255.255.0

ip vrf forwarding cisco

tun so l0

tun dest [ip add of router directly connected to tacacs server]

ip tacacs source-interface l0

tacacs-server host 10.10.10.1

tacacs-server key 7 cisco

ON REMOTE ROUTER:

int l0

ip add 3.3.3.3 255.255.255.0

no shut

int tun10

ip add 2.2.2.2 255.255.255.0

ip vrf forwarding cisco

tunn so l0

tunn dest [ip add of branch router]

Attached is some real information, the ip address of the real tacacs server is 10.20.30.61.

Labels:
Preview file
2 KB
0 Helpful
2 Replies 2

sadbulali
Level 4
Level 4

‎03-09-2009 09:11 AM

The Per VRF for TACACS+ Servers feature allows per VRF AAA to be configured on TACACS+ servers. Prior to Cisco IOS Release 12.3(7)T, this functionality was available only on RADIUS servers.

0 Helpful

luismoondo
Level 1
Level 1
In response to sadbulali

‎03-09-2009 12:51 PM

Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.

My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?

I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.

Thanks and sorry if I didn't make self clear at the beginning of my first post.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents