Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need urgent help

Hi,

I have remote office having router and VPN to my mainoffice.

TACACS server sitting at mainoffice

When I am try integration my remote office router with TACACS(sitting at main office). its not working.

My question is can i integrate remore office router(having tunnel to mainoffice) with TACACS?

TACACS encrypted traffic will pass thru the tunnel.? Here is config for the same..Do ineed to add any addtional line for passing TACACS traffic thru tunnel...(offcourse TACACS server IP added in the config)

aaa authentication login default group tacacs+ local
aaa authentication enable default none
aaa authentication ppp default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Regards

Sateesh kumar.k

3 REPLIES
New Member

Re: Need urgent help

Hi Sateesh,

Please check the below once

1) Tacacs key configured on the Router and ACS server should be same

2) are you able to reach the ACS from the Router

3) Since you are not able to loging via ACS, are you able to connect to the router through the line mode

4) run the debug commands like debugg tacacs events or debugg aaa ?

if possible please paste you entire Routers AAA config
Regards

Dipu

Re: Need urgent help

Yes.. TACACS configure will vary.

Check the below link.

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_per_vrf_aaa.html

aaa group server tacacs+ tacacs_vrf_name
server-private IP key KeyID
ip vrf forwarding VRFNAME
ip tacacs source-interface Intname

aaa authentication login default group tacacs_vrf_name group tacacs+ line enable
aaa authentication login no_tacacs none
aaa authentication enable default group tacacs_vrf_name group tacacs+ enable none
aaa authentication ppp default local
aaa authorization commands 15 default group tacacs_vrf_name group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs_vrf_name group tacacs+
aaa accounting commands 15 default start-stop group tacacs_vrf_name group tacacs+
aaa accounting network default start-stop group tacacs_vrf_name group tacacs+
aaa accounting connection default start-stop group tacacs_vrf_name group tacacs+
aaa accounting system default start-stop group tacacs_vrf_name group tacacs+

Re: Need urgent help

Hi,

I have remote office having router and VPN to my mainoffice.

TACACS server sitting at mainoffice

When I am try integration my remote office router with TACACS(sitting at main office). its not working.

My question is can i integrate remore office router(having tunnel to mainoffice) with TACACS?

TACACS encrypted traffic will pass thru the tunnel.? Here is config for the same..Do ineed to add any addtional line for passing TACACS traffic thru tunnel...(offcourse TACACS server IP added in the config)

aaa authentication login default group tacacs+ local
aaa authentication enable default none
aaa authentication ppp default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Regards

Sateesh kumar.k

Hi Sateesh,

Yes you can integarte the remote office router with you TACAS server for that you should have proper connectivity and reachbilty on ports TCP port 49 between TACAS server and Clients.

Just also mention the source interface through which the packets will be going to tacas server also by the following command ip tacacs source-interface

hope that helps

Remember to rate the useful post

Ganesh.H

238
Views
0
Helpful
3
Replies
CreatePlease to create content