Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4908G-L3 returns to AAA with different interface than logged in

Simple problem (yeah right): I have a 4908G-L3 router configured with two actual interfaces (no HSRP) to my networking core and a whole truckload of other interfaces and subinterfaces for my distribution and access layers (all of them HSRP). I have registered the device as a NAS in ACS 3.1 using one of the two actual interfaces to my networking core. When I now configure AAA on the router it is being ignored and won't work. Checking on the AAA server I find out that the router is trying to perform AAA using every interface under the sun available to it in apparently random (or maybe variably load-balanced EIGRP-dependent) fashion. At about 40+ interfaces that gives me a 2.5% chance of actually getting a AAA response - not good. How can I force the router to perform AAA using the interface IP address that I used to telnet into the box? Any advice will be greatly appreciated!

3 REPLIES
Silver

Re: 4908G-L3 returns to AAA with different interface than logged

Hi,

You can try the follwoing :

ip tacacs source-interface interface_name <--For tacacs+

ip radius souce-interface interface_name <--For Radius

interface_name should be replaced by the interface that you want to souce the AAA packet from the router.

I hope this helps ! Thanks,

Mynul

New Member

Re: 4908G-L3 returns to AAA with different interface than logged

Thanks, but this works only if I that one interface is available - if it's down and I need to get into the router I am stuck with a serial cable. Is there some way to define a virtual interface on this box, like a loopback with an IP address, that I could use to register this NAS in ACS?

Silver

Re: 4908G-L3 returns to AAA with different interface than logged

Hi,

Yes, it is possible to create a loop back and then use that loop back address to source the radius/tacacs packets. But, pl. make sure that the loopback is reachable to ACS server. Thanks,

Mynul

130
Views
0
Helpful
3
Replies
CreatePlease login to create content