Tacacs in VRF

francisco_1 · ‎12-07-2009

I am trying to manage this switch WS-C3550-24PWR-SMI version 12.1(22)EA5 from a loopback within a vrf on the switch. I can see the connection htting the tacacs box but i get error below on the switch. Could it be a bug on the switch?

Loggs

7w4d: TAC+: Opening TCP/IP to 10.124.66.4/49 timeout=5
37w4d: TAC+: TCP/IP open to 10.124.66.4/49 failed -- Connection timed out; remote host not responding

Config

ip vrf TECHLAB-SWITCHES
rd 400:400

interface Vlan753
ip vrf forwarding tacaces

ip address 10.30.3.6 255.255.255.0

tacacs-server host 10.124.66.4
tacacs-server key Premier_League
ip tacacs source-interface Vlan753

tacacs-server host 10.104.66.4

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

francisco_1 · ‎12-07-2009

also i can telnet from the vlan interface from within vrf to the tacaces server on port 49 successfully.

Giuseppe Larosa · ‎12-07-2009

Hello Francisco,

if supported you should add the vrf vrf-name to tacacas host command:

tacacs-server host 10.124.66.4 vrf TECHLAB-SWITCHES

for example for NTP in vrf you need to add the vrf vrf-name to the standard command

Hope to help

Giuseppe

francisco_1 · ‎12-07-2009

I dont have the vrf command available after the tacacs host IP below!!!

"tacacs-server host 10.124.66.4 [vrf]

Edison Ortiz · ‎12-07-2009

francisco_1 wrote:

I am trying to manage this switch WS-C3550-24PWR-SMI version 12.1(22)EA5 from a loopback within a vrf on the switch. I can see the connection htting the tacacs box but i get error below on the switch. Could it be a bug on the switch?

Loggs

7w4d: TAC+: Opening TCP/IP to 10.124.66.4/49 timeout=5
37w4d: TAC+: TCP/IP open to 10.124.66.4/49 failed -- Connection timed out; remote host not responding

Config

ip vrf TECHLAB-SWITCHES
rd 400:400

interface Vlan753
ip vrf forwarding tacaces

ip address 10.30.3.6 255.255.255.0

tacacs-server host 10.124.66.4
tacacs-server key Premier_League
ip tacacs source-interface Vlan753

tacacs-server host 10.104.66.4

aaa new-model
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Per your config, the TACACS server is in the global routing table and Vlan 753 is in the TACACES VRF.

I'm not sure how you are leaking the routing table but if you are looking for 'Per VRF for TACACS+' implementation, this feature is not supported on 3xxx switches.

Please refer to this documentation: http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html

Regards

Edison.

francisco_1 · ‎12-07-2009

I have a default route

ip route vrf TECHLAB-SWITCHES 0.0.0.0 0.0.0.0 10.30.3.1

Edison Ortiz · ‎12-07-2009

But your vrf name under the Vlan is different:

interface Vlan753
ip vrf forwarding tacaces
ip address 10.30.3.6 255.255.255.0

Can you post the routing table output from GRT and VRF and also a ping output from Vlan 753 toward the TACACS server.

if you had access to the TACACS server, can you also post the ping output from there?

francisco_1 · ‎12-07-2009

switch#sh ip route vrf TECHLAB-SWITCHES
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 18:51:48.211 GMT Mon Dec 7 2009

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.30.3.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.30.3.0 is directly connected, Vlan753
S*   0.0.0.0/0 [1/0] via 10.30.3.1

switch#sh ip route
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 18:52:08.171 GMT Mon Dec 7 2009

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 10.30.90.254 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 2 subnets
C       10.30.90.0 is directly connected, Vlan790
C       10.30.91.0 is directly connected, Vlan791
S*   0.0.0.0/0 [1/0] via 10.30.90.254

Edison Ortiz · ‎12-07-2009

Your GRT and VRF table have different default gateways and this can be causing the problem.

BTW, if you upgrade to 12.2(44)SEx - you should be able to use Per VRF TACACS+ as I posted before.

The document should be updated to include 12.2SE support. I tested the commands on a switch here - I don't have any TACACS+ server so I couldn't duplicate your problem - but you should give a try.

Regards

Edison.

raja d · ‎02-11-2013

Hi guys i came across this problem , we can solve it by jusy adding vrf in the tacacs configuration eg if u have the tacacs server 10.0.0.1

======================================================

aaa group server tacacs+ JERRY ->put your tacacs server in a group name

server-private 10.0.0.1 ->mention ur tacacs server

ip vrf forwarding TOM -->the VRF name

======================================================

remaining is same except u put the group thingy

======================================================

aaa authentication login default group TEST local

aaa authentication login NO_AUTHEN local none

aaa authentication enable default group TEST enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group TEST local

aaa authorization exec NO_AUTHOR none

aaa authorization commands 1 default group TEST local

aaa authorization commands 1 NO_AUTHOR none

aaa authorization commands 7 default group tacacs+ local

aaa authorization commands 7 NO_AUTHOR none

aaa authorization commands 15 default group TEST local

aaa authorization commands 15 NO_AUTHOR none

aaa accounting exec default

action-type start-stop

group tacacs+

group TEST

!

aaa accounting commands 1 default

action-type start-stop

group tacacs+

group TEST

tkostova · ‎12-04-2017

prior to this you have to create your vrf and vrf route and add it under the interface .

Below is your tacacs config with vrf:

config t

aaa new-model

aaa group server tacacs+ NetworkAdmins
server-private X.X.X.X.(tacacs ip address) key 0 cisco (tacacs key)
ip vrf forwarding mgmt (name of your vrf)

aaa authentication login Networking (AD GROUP) group NetworkAdmins ( tacas server group you just created) local
aaa authorization exec Networking group NetworkAdmins local
aaa accounting commands 15 Networking start-stop group NetworkAdmins

line vty 0 15

authorization exec Networking (AD group)

accounting commands 15 Networking

login authentication Networking