Tacacs+ per vrf

Aide Espejo · ‎03-11-2009

Hi all:

I'm trying to configure the featute "tacacs+ per vrf" in order to authenticating with an ACS that a 7600 router learn from a vrf, but it isn't working; checking the ACS, I see that the user do authenticate but I got a messagge "authorization failed" from the router, so I never can login in.

The commands I'm applying on the router are:

aaa group server tacacs+ tacacscisco

server-private 1.1.1.1 key CISCO

ip vrf forwarding CISCO123

ip tacacs source-interface LOOPBACK 0

!

aaa authentication login default group tacacscisco local

aaa authentication login con_acc group tacacscisco local none

aaa authorization exec default group tacacscisco local

aaa authorization exec con_acc group tacacscisco local if-authenticated

aaa authorization commands 1 default group tacacscisco if-authenticated

aaa authorization commands 15 default group tacacscisco if-authenticated

aaa accounting exec default start-stop group tacacscisco

aaa accounting commands 15 default start-stop group tacacscisco

aaa accounting system default start-stop group tacacscisco

I would appreciatte any help !! tks

The IOS version I'm using is 12.2(33)SRB3

drolemc · ‎03-17-2009

This is the expected behaviour, since the user is not defined locally, we are getting "Authorization failed" when going into privilege mode. Please define the user locally and try to login.