Each of the 4500X switches in our stack has a Fa1 interface next to the serial console port. My understanding is that this is to be used for out-of-band management of the switch. Here's the configuration of the interface:
vrf forwarding mgmtVrf
ip address 172.21.2.30 255.255.255.0
The vrf configuration was default. The only thing I changed was the ip address information. My question relates to things like domain-lookup and TACACS. I cannot seem to use this interface for those functions. Even if I add the following global configuration to my switch:
ip domain-lookup source-interface Fa1
ip tacacs-server source-interface Fa1
the switch is unable to communicate with either the DNS servers reference by the ip name-server command or the TACACS+ servers reference in the tacacs server profile section.
In the case of TACACS, the following debug output is produced when I attempt to login using TACACS:
No worries. It's not that you were unclear. It's that I've been so incredibly lazy that I haven't stopped using the commands that Cisco says will be "deprecated soon". Now here's my current configuration (as it relates to aaa authentication):
aaa group server tacacs+ DEED
ip vrf forwarding mgmtVrf
ip tacacs source-interface FastEthernet1
aaa authentication login DEED group tacacs+ enable group tacacs+ local
aaa authentication enable default group tacacs+ enable
tacacs server fnb-acs-pri
address ipv4 172.19.40.31
tacacs server fnb-acs-sec
address ipv4 172.19.40.32
line vty 0 4
exec-timeout 15 0
login authentication DEED
transport input ssh
This configuration doesn't work. I still get the " No route to host" debug output.
I finally got this to work. See below for the complete configuration I used which results in a successful login (and an addition prompt to enter enable mode). I don't understand the difference between defining the servers under the server group mode vs. defining them with the "tacacs server " method but that seems to be one of the issues I was running up against. aaa configuration on IOS is as clear as mud to me :-) Thanks for you help.
AAA setup isn't so hard but Cisco made it a bit confusing with the new syntax - many folks' templates they've been using for a long time might still work but certain features such as the newer management VRF bits need to have everything in the new model to work properly.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...