topic tacacs per VRF in Network Access Control

tacacs per VRF

lester-mendoza — Mon, 11 Mar 2019 01:43:52 GMT

Gooday

Im trying to configure tacacs per Vrf but no luck, i been using docs from cisco, can somebody help me if my config is correct?

here is my current config

aaa group server tacacs+ tacacs1

server-private 183.x.x.x key 7 XXXXXX

ip vrf forwarding NMS

ip tacacs source-interface Vlan89

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 0 default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

ip vrf NMS

description OOB NMS VRF

rd 110:100

interface Vlan89

description to DIA monitoring

ip vrf forwarding NMS

ip address 183.109.191.11 255.255.255.0

end

ip vrf NMS

thanks

tacacs per VRF

camejia — Tue, 17 Jan 2012 15:24:23 GMT

Hello Lester,

Please refer to the following configuration:

aaa group server tacacs+ vrftacacs

server-private x.x.x.y key XXXX

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

aaa authentication login default group vrftacacs local

aaa authentication enable default group vrftacacs enable

ip vrf mgmtVrf

interface FastEthernet1

ip vrf forwarding mgmtVrf

ip address x.x.x.x y.y.y.y

speed auto

duplex auto

ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 z.z.z.z

It seems that you are missing the appropriate "TACACS+ Group" on the AAA statements. You are using "group tacacs+" instead of the appropriate one that should be "group tacacs1".

Please let us know the results.

Regards.

tacacs per VRF

lester-mendoza — Tue, 17 Jan 2012 16:19:40 GMT

Dear Carlos,

Appreciated your reply, unfortunately it still not working, but its half way to resolve now. here is the screencap

if i telnet into the router, firstly it will ask for the local account and after i enable for the priviledge mode, it will ask for the acs account, below is the current config

UNAUTHORISED ACCESS TO THIS SYSTEM IS STRICTLY PROHIBITED

All data and information held on or in, or generated by this system is

proprietary and confidential. Any unauthorised use or unauthorised

disclosure of such information is strictly prohibited. Violators will be

prosecuted to the fullest extent of local, state and federal laws.

User Access Verification

Password:

Session activated. Enter commands at the prompt.
You have entered crt-tw1-602. on line 450 ()
crt-tw1-602>ena
Username ACS:lesterm.admin
Password:
crt-tw1-602#

current config

aaa group server tacacs+ tacacs1

server-private 183.x.x.x key 7 xxxxxxxx

ip vrf forwarding NMS

ip tacacs source-interface Vlan89

aaa authentication login default group tacacs1 enable

aaa authentication enable default group tacacs1 enable

aaa authorization commands 0 default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

tacacs per VRF

camejia — Tue, 17 Jan 2012 16:23:52 GMT

Lester,

The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.

Please, share the outputs with us.

Regards.

tacacs per VRF

lester-mendoza — Tue, 17 Jan 2012 16:31:46 GMT

thanks Carlos,

I followed your suggestion, i think there will be only change in the aaa authentication statement,

I'm very careful on changing the aaa statement, and don't want to change it without your expert advice, the router is located in different country and no one will reboot if i lost the connection

The first "password" prompt you get is for the local enable password? We might need to enable "Debug aaa authentication" and "debug tacacs" and recreate the issue.

ans: yes, first it will ask for the local password

below is the debug

AAA Authentication debugging is on

crt-tw1-602#

*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f

*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'

*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN

*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD

*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN

*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS

*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1

*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0

*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)

*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)

*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1

*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0

*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)

*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE

*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list

*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)

*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963

*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER

*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER

*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')

*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER

*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)

*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963

*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS

*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS

*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')

*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS

*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)

*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963

*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS

*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS

*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)

crt-tw1-602#

crt-tw1-602#debug tacacs

TACACS access control debugging is on

crt-tw1-602#

*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing

*Jan 18 00:41:44: TPLUS: processing authentication start request id 133

*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()

*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100

*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout

*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out

*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up

*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet

*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"

*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892

*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.

*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5

*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11

*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued

*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed

*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER

*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892

*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued

*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed

*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS

*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892

*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued

*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed

*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL

*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49

*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"

*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987

*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.

*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5

*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11

*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued

*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed

*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER

*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987

*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued

*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed

*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS

*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987

*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued

*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed

*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS

*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49

crt-tw1-602#

AAA Authentication debugging is on
crt-tw1-602#
*Jan 18 00:39:40: AAA/BIND(00000084): Bind i/f
*Jan 18 00:39:40: AAA/AUTHEN/LOGIN (00000084): Pick method list 'default'
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:45: AAA/AUTHEN/ENABLE(00000084): Done status GET_PASSWORD
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Processing request action LOGIN
*Jan 18 00:39:52: AAA/AUTHEN/ENABLE(00000084): Done status PASS
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/MEMORY: free_user (0x62673AC0) user='NULL' ruser='crt-tw1-602' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
*Jan 18 00:39:54: AAA: parse name=tty450 idb type=-1 tty=-1
*Jan 18 00:39:54: AAA: name=tty450 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=450 channel=0
*Jan 18 00:39:54: AAA/MEMORY: create_user (0x7067DF54) user='NULL' ruser='NULL' ds0=0 port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): port='tty450' list='' action=LOGIN service=ENABLE
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): using "default" list
*Jan 18 00:39:54: AAA/AUTHEN/START (4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:39:54: TAC+: send AUTHEN/START packet ver=192 id=-165001963
*Jan 18 00:39:54: TAC+: ver=192 id=-165001963 received AUTHEN status = GETUSER
*Jan 18 00:39:54: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN/CONT (4129965333): continue_login (user='(undef)')
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETUSER
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:06: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:06: TAC+: ver=192 id=-165001963 received AUTHEN status = GETPASS
*Jan 18 00:40:06: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN/CONT (4129965333): continue_login (user='lesterm.admin')
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Status=GETPASS
*Jan 18 00:40:09: AAA/AUTHEN(4129965333): Method=tacacs1 (tacacs+)
*Jan 18 00:40:09: TAC+: send AUTHEN/CONT packet id=-165001963
*Jan 18 00:40:10: TAC+: ver=192 id=-165001963 received AUTHEN status = PASS
*Jan 18 00:40:10: AAA/AUTHEN(4129965333): Status=PASS
*Jan 18 00:40:10: AAA/MEMORY: free_user (0x7067DF54) user='lesterm.admin' ruser='NULL' port='tty450' rem_addr='183.100.2.99' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
crt-tw1-602#

crt-tw1-602#debug tacacs
TACACS access control debugging is on
crt-tw1-602#
*Jan 18 00:41:44: TPLUS: Queuing AAA Authentication request 133 for processing
*Jan 18 00:41:44: TPLUS: processing authentication start request id 133
*Jan 18 00:41:44: TPLUS: Authentication start packet created for 133()
*Jan 18 00:41:44: TPLUS: Using server 183.111.21.100
*Jan 18 00:41:44: TPLUS(00000085)/0/NB_WAIT/7050EE30: Started 5 sec timeout
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out
*Jan 18 00:41:49: TPLUS(00000085)/0/NB_WAIT/7050EE30: timed out, clean up
*Jan 18 00:41:49: TPLUS(00000085)/0/7050EE30: Processing the reply packet
*Jan 18 00:41:58: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:41:58: TAC+: send AUTHEN/START packet ver=192 id=1096121892
*Jan 18 00:41:58: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:41:58: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:41:58: TAC+: Opened TCP/IP handle 0x7065A0B8 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:41:58: TAC+: 183.111.21.100 (1096121892) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:41:58: TAC+: (1096121892) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:41:58: TAC+: ver=192 id=1096121892 received AUTHEN status = GETUSER
*Jan 18 00:42:02: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:02: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:02: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:02: TAC+: ver=192 id=1096121892 received AUTHEN status = GETPASS
*Jan 18 00:42:09: TAC+: send AUTHEN/CONT packet id=1096121892
*Jan 18 00:42:09: TAC+: 183.111.21.100 (1096121892) AUTHEN/CONT queued
*Jan 18 00:42:10: TAC+: (1096121892) AUTHEN/CONT processed
*Jan 18 00:42:10: TAC+: ver=192 id=1096121892 received AUTHEN status = FAIL
*Jan 18 00:42:10: TAC+: Closing TCP/IP 0x7065A0B8 connection to 183.111.21.100/49
*Jan 18 00:42:12: TAC+: no tacacs servers defined in group "tacacs+"
*Jan 18 00:42:12: TAC+: send AUTHEN/START packet ver=192 id=-1420048987
*Jan 18 00:42:12: TAC+: Using default tacacs server-group "tacacs1" list.
*Jan 18 00:42:12: TAC+: Opening TCP/IP to 183.111.21.100/49 timeout=5
*Jan 18 00:42:12: TAC+: Opened TCP/IP handle 0x62741B98 to 183.111.21.100/49 using source 183.109.191.11
*Jan 18 00:42:12: TAC+: 183.111.21.100 (2874918309) AUTHEN/START/LOGIN/ASCII queued
*Jan 18 00:42:12: TAC+: (2874918309) AUTHEN/START/LOGIN/ASCII processed
*Jan 18 00:42:12: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETUSER
*Jan 18 00:42:16: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:16: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:16: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:16: TAC+: ver=192 id=-1420048987 received AUTHEN status = GETPASS
*Jan 18 00:42:19: TAC+: send AUTHEN/CONT packet id=-1420048987
*Jan 18 00:42:19: TAC+: 183.111.21.100 (2874918309) AUTHEN/CONT queued
*Jan 18 00:42:20: TAC+: (2874918309) AUTHEN/CONT processed
*Jan 18 00:42:20: TAC+: ver=192 id=-1420048987 received AUTHEN status = PASS
*Jan 18 00:42:20: TAC+: Closing TCP/IP 0x62741B98 connection to 183.111.21.100/49
crt-tw1-602#
crt-tw1-602#

tacacs per VRF

camejia — Tue, 17 Jan 2012 16:54:27 GMT

Hello Lester,

Do you have "tacacs-server" commands on your running configuration? For example:

tacacs-server host 1.1.1.1 key cisco123

tacacs-server host 2.2.2.2 key cisco123

tacacs-server timeout 10

If not, can you define your TACACS+ server IP address and key as described above?

Regards.

tacacs per VRF

camejia — Wed, 18 Jan 2012 19:30:31 GMT

Hello Lester,

Were you able to test my last suggestion and test again?

Regards.

tacacs per VRF

lester-mendoza — Wed, 18 Jan 2012 23:42:24 GMT

Dear Carlos,

I've tried to configure your first suggestion to different (2nd)router and its working, the only difference is the IOS, then i decided to configure again to my 3rd router with the same IOS as my 1st router and it was failed again with the same error

c3845-ipbase-mz.124-17b.bin - working

c3845-ipbase-mz.124-17a.bin - not working

my working config below

aaa group server tacacs+ tacacs1

server-private 183.111.21.100 key 7 08701E430E1F100D08025C5D

ip vrf forwarding NMS

ip tacacs source-interface Vlan89

aaa authentication login default group tacacs1 enable

aaa authentication enable default group tacacs1 enable

aaa authorization commands 0 default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

! !
aaa group server tacacs+ tacacs1
server-private 183.X.X.X key 7 XXXXXX

ip vrf forwarding NMS
ip tacacs source-interface Vlan89
!
aaa authentication login default group tacacs1 enable
aaa authentication enable default group tacacs1 enable
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
!

im just thinking this is due to IOS? any advice?

thanks

tacacs per VRF

camejia — Wed, 18 Jan 2012 23:55:24 GMT

Lester,

Now that you shared the working and not working IOS version I was able to find the root cause of the issue: BUG

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl39449

VRF aware tacacs config does not work

Symptom:

TACACS+ authentication fails for all users.

Conditions:

Occurs only in VRF TACACS+ setup, when ip vrf
forwarding < vrf name> command is configured for
AAA TACACS+ server group
under aaa group server tacacs+.

Workaround:

There is no workaround.

IOS version 12.4(17a) is listed as a known affected version while 12.4(17b) is listed as a fixed version. Great approach testing the configuration on another IOS Version.

Best Regards.

tacacs per VRF

lester-mendoza — Thu, 19 Jan 2012 00:25:03 GMT

Dear Carlo

I really appreciated your kind help and expertise

have a nice day

rgds

lester