Tacacs+ per vrf

Unanswered Question
Mar 11th, 2009
User Badges:

Hi all:


I'm trying to configure the featute "tacacs+ per vrf" in order to authenticating with an ACS that a 7600 router learn from a vrf, but it isn't working; checking the ACS, I see that the user do authenticate but I got a messagge "authorization failed" from the router, so I never can login in.


The commands I'm applying on the router are:


aaa group server tacacs+ tacacscisco

server-private 1.1.1.1 key CISCO

ip vrf forwarding CISCO123

ip tacacs source-interface LOOPBACK 0

!

aaa authentication login default group tacacscisco local

aaa authentication login con_acc group tacacscisco local none

aaa authorization exec default group tacacscisco local

aaa authorization exec con_acc group tacacscisco local if-authenticated

aaa authorization commands 1 default group tacacscisco if-authenticated

aaa authorization commands 15 default group tacacscisco if-authenticated

aaa accounting exec default start-stop group tacacscisco

aaa accounting commands 15 default start-stop group tacacscisco

aaa accounting system default start-stop group tacacscisco


<Loopback 0 is on vrf CISCO123>


I would appreciatte any help !! tks


The IOS version I'm using is 12.2(33)SRB3

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
drolemc Tue, 03/17/2009 - 10:09
User Badges:
  • Silver, 250 points or more

This is the expected behaviour, since the user is not defined locally, we are getting "Authorization failed" when going into privilege mode. Please define the user locally and try to login.


Actions

This Discussion