Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8520
Views
0
Helpful
5
Replies

4900M - Basic Management Setup - Problem with TACACS+

Go to solution
bischoff_s
Level 1
Level 1

‎04-14-2010 11:33 AM - edited ‎03-06-2019 10:37 AM

Hello,

since few weeks I' ve three 4900M switches equipped with the WS-X4920-GB-RJ45 module and the WS-X4908-10GE module. Now I'm started to setup these switches in our lab environment for the first time. They behave a little bit strange in comparison with the C3750 series which I used before and which I will replace by these powerful machines.

I tried to setup these switches to be managed through the management port. I configured IP address, default route in the management vrf, set the source-interface for tftp,ssh,ftp and tacacs to use the management port. Ping using the manangement port was successful. After finishing theses steps I configured the TACACS and AAA settings accordingly the informations I found on CCO. I tested the settings with "test aaa group authentication" command- without success. On my Cisco ACS no request was received and the switch told me he could't reach the tacacs server. Other switches in the same IP subnet are working without failure, so firewall or server should not be the problem. Can anyone give me a hint what could be wrong?

These are parts of the configuration:

enable password test
!
username test privilege 15 password test
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
!
!
aaa session-id common

!
ip subnet-zero
ip domain-name test
!
!
ip vrf mgmtVrf
!
vtp mode transparent
!
!
crypto key generate rsa general-key modulus 1024
!
ip ftp source-interface FastEthernet1
ip tftp source-interface FastEthernet1
ip ssh source-interface FastEthernet1
!
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
ip address 10.119.50.4 255.255.255.0
speed auto
duplex auto
!

interface Vlan1
no ip address
!
ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 10.119.50.254
no ip http server
ip http secure-server
!
ip tacacs source-interface FastEthernet1
tacacs-server host 10.119.32.11
tacacs-server host 10.119.32.12
tacacs-server directed-request
tacacs-server key test
!

With kind regards

Stefan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-14-2010 12:41 PM

Hello Stefan,

check if

tacacs-server host command has a vrf option at the end or before inserting the IP address

Hope to help

Giuseppe

0 Helpful

Go to solution
bischoff_s
Level 1
Level 1
In response to Giuseppe Larosa

‎04-14-2010 12:51 PM

Hello Guiseppe,

I checked it before. There is no such option on this command for this switch. In some of the configuration examples that I found from other switches this command was mentioned which in this case was not useful.

Thanks for this hint.

With kind regards

Stefan

0 Helpful

Go to solution
charlesdf22
Level 1
Level 1
In response to bischoff_s

‎04-14-2010 07:15 PM

I know I hate getting replies with just links, but do these steps work?

http://nextclickmedia.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_pvt.html#wp1046257

0 Helpful

Go to solution
bischoff_s
Level 1
Level 1
In response to charlesdf22

‎04-15-2010 03:05 AM

Hello Charles,

thank you. Now it is working. It seems that the problem is solved, but now the questions about why it is working arise.

1.) In the Management VRF which is configured by default the RD had to be set. This was not documented under the documentation libray for that device. What effect had this command to the configuration?

2.) For what reason the tacacs-server had to be put in a separate server-group. In my opinion it is only to replace the missing subinterface statement "vrf mgmtVrf" at the end of "ip tacacs source-interface" in the global config.

3.) To document all the settings I changed - this is the actual configuration:

enable password test
!
username test privilege 15 password test
aaa new-model
!
!

aaa group server tacacs+ tac_neu
server-private 10.119.32.11 key test
server-private 10.119.32.12 key test
ip vrf forwarding mgmtVrf
ip tacacs source-interface FastEthernet1
!
aaa authentication login default group tacacs+ group tac_neu local
aaa authentication enable default group tacacs+ group tac_neu enable
!

!
!
!
aaa session-id common

!
ip subnet-zero
ip domain-name test
!
!
ip vrf mgmtVrf
rd 100:1
!
vtp mode transparent
!
!
crypto key generate rsa general-key modulus 1024
!
ip ftp source-interface FastEthernet1
ip tftp source-interface FastEthernet1
ip ssh source-interface FastEthernet1
!
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
ip address 10.119.50.4 255.255.255.0
speed auto
duplex auto
!

interface Vlan1

no ip address

!

ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 10.119.50.254

no ip http server

ip http secure-server

!

Thank you for helping me to solve this problem.

With kind regards

Stefan

0 Helpful

Go to solution
lewwalker
Level 1
Level 1

‎01-31-2012 08:37 AM

Thanks for the details regarding the management of the Cisco 4900M Switches however I'm attempting to disable the 10/100/1000 MGT port due to security reason. How would I access the port remotely because I have unable to locate this port with the command options.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card