Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VRF and TACACS

Our management network is via VRF, the ip addess of the ACS also exists in the VRF. After the configuration, the ACS seems doesnt work and there is no reports on the ACS. Below is the configuration. Your help is appreciated!

client: int vlan 10

ip add 192.168.1.233

ip vrf forwarding Virtual

aaa authentication login new group tacacs+ local

aaa authorization exec new group tacacs+ local

aaa authorization commands 15 new group tacacs+ local

ip tacacs source-interface vlan 10

tacacs-server host 192.168.1.240

tacacs-server key key

lin vty 0 4

authorization commands 15 new

authorization exec new

login authentication new

I can ping from the source interface to the ACS via VRF.

Thank you!

4 REPLIES

Re: VRF and TACACS

Can you share the config?

Depending on your setup/design, pls check the following configig guide & sample for TACACS+ with VRF:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806996cc.html

HTH

AK

New Member
New Member

VRF and TACACS

I have had problems with this in the past as well. Do a debug on the tacacs packets and see if it complains about not have a route to the host.

Some of the devices do not support different VRFs for TACACS and only use the global VRF.

Cisco Employee

VRF and TACACS

Define a AAA server group, indicate to use the correct VRF, then reference that group in your authentication configuration.

For example:

tacacs-server host 10.1.2.3 key cisco123

aaa server group tacacs+ tac-servers

server 10.1.2.3

ip vrf forwarding mumble

ip tacacas source-interface vlan10

aaa authentication login default group tac-servers local

788
Views
0
Helpful
4
Replies
CreatePlease login to create content