topic Re: Problems with TACACS+ on VRF in Network Access Control

topic Re: Problems with TACACS+ on VRF in Network Access Control https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084545#M215278 <HTML><HEAD></HEAD><BODY><P>Try this:</P><P></P><P><TT>aaa group server tacacs+ TACACS+<BR />  server-private 172.25.25.153 key 7 120D55421A5A0E05262A343C6325<BR />  server-private 172.25.25.154 key 7 09581E5C11541513070D143E7B34<BR />  ip vrf forwarding MANAGEMENT<BR />  ip tacacs source-interface Vlan500 <BR />!<BR /> <SPAN style="color: #ff0000;"><STRONG>ip radius source-interface Vlan500 </STRONG></SPAN></TT></P><P><TT>! </TT></P><P></P><P> So add it in global config as well.</P><P>BTW: what device/IOS version are you running?          </P><HR /><P> <BR />I hope you find this information useful, if it was satisfactory  for you, please mark the question as Answered. <BR /> <BR />Please rate post you consider useful. <BR />-James</P><DIV id="nuan_ria_plugin"><OBJECT height="0" id="plugin0" style="position: absolute; z-index: 1000;" type="application/x-dgnria" width="0"><PARAM name="tabId" /><PARAM name="counter" /></OBJECT></DIV></BODY></HTML> Thu, 06 Dec 2012 02:02:24 GMT jw.sl9 2012-12-06T02:02:24Z Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084544#M215277 <P>Hello there,</P><P></P><P>I've configured a management VRF and am trying to get tacacs+ to work. I have done some debugging but I've come to the point where I don't know what I can do more/cant see where im going wrong. bnawaz is my tacacs enabled account and admin is a local account.</P><P></P><P>Below is debug out put and config</P><P></P><P>1w2d: TPLUS: Queuing AAA Authentication request 103 for processing</P><P>1w2d: TPLUS: processing authentication start request id 103</P><P>1w2d: TPLUS: Authentication start packet created for 103(bnawaz)</P><P>1w2d: TPLUS: Using server 172.25.25.153</P><P>1w2d: TPLUS(00000067)/0: Connect Error No route to host</P><P>1w2d: TPLUS: Choosing next server 172.25.25.154</P><P>1w2d: TPLUS(00000067)/0: Connect Error No route to host</P><P>1w2d: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type radius (UNKNOWN)</P><P>1w2d: TPLUS: Queuing AAA Authentication request 103 for processing</P><P>1w2d: TPLUS: processing authentication start request id 103</P><P>1w2d: TPLUS: Authentication start packet created for 103(bnawaz)</P><P>1w2d: TPLUS: Using server 172.25.25.153</P><P>1w2d: TPLUS(00000067)/0: Connect Error No route to host</P><P>1w2d: TPLUS: Choosing next server 172.25.25.154</P><P>1w2d: TPLUS(00000067)/0: Connect Error No route to host</P><P>1w2d: TPLUS: Queuing AAA Authentication request 103 for processing</P><P>1w2d: TPLUS: processing authentication start request id 103</P><P>1w2d: TPLUS: Authentication start packet created for 103(bnawaz)</P><P>1w2d: TPLUS: Using server 172.25.25.153</P><P>1w2d: TPLUS(00000067)/0: Connect Error No route to host</P><P>1w2d: TPLUS: Choosing next server 172.25.25.154</P><P>1w2d: TPLUS(00000067)/0: Connect Error No route to host</P><P>1w2d: TPLUS: Queuing AAA Authentication request 103 for processing</P><P>1w2d: TPLUS: processing authentication start request id 103</P><P>1w2d: TPLUS: Authentication start packet created for 103(bnawaz)</P><P></P><P>1w2d: TAC+: Using default tacacs server-group "tacacs+" list.</P><P>1w2d: TAC+: Opening TCP/IP to 172.25.25.153/49 timeout=5</P><P>1w2d: TAC+: TCP/IP open to 172.25.25.153/49 failed -- Destination unreachable; gateway or host down</P><P>1w2d: TAC+: Opening TCP/IP to 172.25.25.154/49 timeout=5</P><P>1w2d: TAC+: TCP/IP open to 172.25.25.154/49 failed -- Destination unreachable; gateway or host down</P><P>1w2d: TPLUS: Queuing AAA Accounting request 101 for processing</P><P>1w2d: TPLUS: processing accounting request id 101</P><P>1w2d: TPLUS: Sending AV task_id=250</P><P>1w2d: TPLUS: Sending AV timezone=GMT</P><P>1w2d: TPLUS: Sending AV service=shell</P><P>1w2d: TPLUS: Sending AV priv-lvl=15</P><P>1w2d: TPLUS: Sending AV cmd=show running-config <cr></P><P>1w2d: TPLUS: Accounting request created for 101(admin)</P><P>1w2d: TPLUS: Using server 172.25.25.153</P><P>1w2d: TPLUS(00000065)/0: Connect Error No route to host</P><P>1w2d: TPLUS: Choosing next server 172.25.25.154</P><P>1w2d: TPLUS(00000065)/0: Connect Error No route to host</P><P></P><P></P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa group server tacacs+ TACACS+</P><P> server-private 172.25.25.153 key 7 120D55421A5A0E05262A343C6325</P><P> server-private 172.25.25.154 key 7 09581E5C11541513070D143E7B34</P><P> ip vrf forwarding MANAGEMENT</P><P> ip tacacs source-interface Vlan500</P><P>!</P><P>aaa authentication login TACACS+ group tacacs+ group radius local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization exec default group tacacs+ local </P><P>aaa authorization commands 15 default group tacacs+ if-authenticated </P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>!         </P><P>ip vrf MANAGEMENT</P><P> rd 99:500</P><P>!</P><P>interface Vlan500</P><P> ip vrf forwarding MANAGEMENT</P><P> ip address 172.25.99.4 255.255.255.240</P><P>!         </P><P>no ip http server</P><P>no ip http secure-server</P><P>!</P><P>!         </P><P>ip route vrf MANAGEMENT 0.0.0.0 0.0.0.0 172.25.99.1 <SPAN style="color: #ff0000;">[THE DEFAULT GW]</SPAN></P><P>!</P><P>line vty 0 4</P><P> login authentication FOS_TACACS+</P><P> transport input ssh</P><P>line vty 5 15</P><P> login authentication FOS_TACACS+</P><P> transport input ssh</P><P>!</P><P>end</P><P></P><P>DMZ-3560-2#ping vrf MANAGEMENT 172.25.25.153</P><P>Type escape sequence to abort.</P><P>Sending 5, 100-byte ICMP Echos to 172.25.25.153, timeout is 2 seconds:</P><P>!!!!!</P><P>Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms</P> Mon, 11 Mar 2019 02:51:16 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084544#M215277 Bilal Nawaz 2019-03-11T02:51:16Z Re: Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084545#M215278 <HTML><HEAD></HEAD><BODY><P>Try this:</P><P></P><P><TT>aaa group server tacacs+ TACACS+<BR />  server-private 172.25.25.153 key 7 120D55421A5A0E05262A343C6325<BR />  server-private 172.25.25.154 key 7 09581E5C11541513070D143E7B34<BR />  ip vrf forwarding MANAGEMENT<BR />  ip tacacs source-interface Vlan500 <BR />!<BR /> <SPAN style="color: #ff0000;"><STRONG>ip radius source-interface Vlan500 </STRONG></SPAN></TT></P><P><TT>! </TT></P><P></P><P> So add it in global config as well.</P><P>BTW: what device/IOS version are you running?          </P><HR /><P> <BR />I hope you find this information useful, if it was satisfactory  for you, please mark the question as Answered. <BR /> <BR />Please rate post you consider useful. <BR />-James</P><DIV id="nuan_ria_plugin"><OBJECT height="0" id="plugin0" style="position: absolute; z-index: 1000;" type="application/x-dgnria" width="0"><PARAM name="tabId" /><PARAM name="counter" /></OBJECT></DIV></BODY></HTML> Thu, 06 Dec 2012 02:02:24 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084545#M215278 jw.sl9 2012-12-06T02:02:24Z Re: Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084546#M215279 <HTML><HEAD></HEAD><BODY><P>Hi James,</P><P></P><P>Switch Ports Model              SW Version            SW Image                 </P><P>------ ----- -----              ----------            ----------               </P><P>*    1 26    WS-C3560-24TS      15.0(2)SE             C3560-IPSERVICESK9-M     </P><P></P><P>I tried the ip radius source-interface command, but unfortunately didnt work. I read somewhere that it may be trying to use the global routing table hence the "Connect Error No route to host" output from the debug. Perhaps a limitation? not sure?</P><P>Used the global routing table without VRF and it works fine.</P></BODY></HTML> Thu, 06 Dec 2012 08:33:22 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084546#M215279 Bilal Nawaz 2012-12-06T08:33:22Z Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084547#M215280 <HTML><HEAD></HEAD><BODY><P>Hi Bilal,</P><P></P><P>Your configuration looks fine. I think this is a issue with the IOS. I have another work around which you could try to fix this. Try putting a static route on the global routing table for the ACS ip address and point it towards the VRF interface as the exit interface. You are basically fooling the router here by offering a route for ACS on the global routing table. A typical static route would be as below.</P><P></P><P><STRONG>ip route 172.25.25.153 255.255.255.255 <X.X.X.X></X.X.X.X></STRONG> where x.x.x.x is router interface ip address which is part of your VRF named MANAGMENT</P><P></P><P>Give a try and let us know how it goes.</P><P></P><P>Regards</P><P></P><P>Najaf</P><P><EM><STRONG>Please rate when applicable or helpful !!!</STRONG></EM></P></BODY></HTML> Thu, 06 Dec 2012 11:02:31 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084547#M215280 kcnajaf 2012-12-06T11:02:31Z Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084548#M215281 <HTML><HEAD></HEAD><BODY><P>Hello Najaf,</P><P></P><P>I also tried static default routes to the gateway as well as static routes towards both ACS servers but still didnt seem to work.</P><P></P><P>In terms of tacacs, the global routing table wouldn't know about the VRF network nor the interface.</P><P>i.e when doing a show ip route (when you have a vrf) no routes are displayed of connected interfaces or networks which is expected....</P><P></P><P>ip route 172.25.25.153 255.255.255.255 vlan500 didn't work too.</P></BODY></HTML> Thu, 06 Dec 2012 11:38:57 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084548#M215281 Bilal Nawaz 2012-12-06T11:38:57Z Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084549#M215282 <HTML><HEAD></HEAD><BODY><P>Hi Bilal,</P><P></P><P>Could you provide the Show ip route output from global routing table and vrf table? Also you where able to ping the acs servers after adding the static route with all other configuration intact (configuration exactly same as what you have initially posted. </P><P></P><P>Regards</P><P></P><P>Najaf</P></BODY></HTML> Thu, 06 Dec 2012 12:04:43 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084549#M215282 kcnajaf 2012-12-06T12:04:43Z Re: Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084550#M215283 <HTML><HEAD></HEAD><BODY><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/2/2/5/117522-DMZ.JPG" class="jive-image" /></P><P>Even if I change the "ip route 172.25.25.153 255.255.255.255 172.25.99.1" to</P><P>172.25.25.153 255.255.255.255 172.25.99.4</P><P></P><P>Still doesn't work.</P></BODY></HTML> Thu, 06 Dec 2012 13:46:59 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084550#M215283 Bilal Nawaz 2012-12-06T13:46:59Z Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084551#M215284 <HTML><HEAD></HEAD><BODY><P>Hi Bilal,</P><P></P><P>Try applying the static route as</P><P></P><P><STRONG>ip route 172.25.25.153 255.255.255.255 Vlan500 172.25.99.1</STRONG></P><P></P><P>and verify if the rotue is coming in the global routing table.</P><P></P><P>If it showing up on the routing table try enabling the debug which you have enabled on the initial post and verify if you are getting the same message.</P><P></P><P>Regards</P><P></P><P>Najaf</P></BODY></HTML> Thu, 06 Dec 2012 18:53:32 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084551#M215284 kcnajaf 2012-12-06T18:53:32Z Re: Problems with TACACS+ on VRF https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084552#M215285 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Anyone ever found a way to make this work without using the global routing table as the "management vrf" ? </P><P></P><P>I have the same routing issues as the OP describes. Same config. Same debug output. Tried to use the vlan interface as source interface as well as a loopback in the management vrf. </P><P></P><P>c3750e-universalk9-mz.122-58.SE2.bin but I also experience this with other IOS versions on switches running management in a vrf. </P><P></P><P>Am I required to configure an RD for the vrf the ip tacacs source-interface is using or is it not needed? Right now its just <NOT set="">.</NOT></P><P></P><P></P><P>Thanks</P><P><BR />Regards</P><P>Aleksander</P></BODY></HTML> Tue, 18 Feb 2014 20:59:54 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084552#M215285 aleksander.olsen 2014-02-18T20:59:54Z I have indeed found a way to https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084553#M215286 <P>I have indeed found a way to make this work (with some assistance). It works out that the aaa commands need to reference the TACACS+ group itself, not just default tacacs+ servers defined.</P><P>Hope this helps.</P> Sat, 24 May 2014 13:00:00 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084553#M215286 Bilal Nawaz 2014-05-24T13:00:00Z Hi, I have the same problem https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084554#M215287 <P>Hi,</P><P> </P><P>I have the same problem on an 6503-E (s3223-advipservicesk9_wan-mz.122-33.SXH3a.bin). The configuration with VRF on another 6509-E works but on this model, it not works (I ping the tacacs server with the VRF). Can you detail the way that you found ( the commands ?).</P><P> </P><P>Thank you.</P><P>Regards.</P><P> </P> Thu, 20 Nov 2014 10:33:19 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084554#M215287 dfrenay_olabs 2014-11-20T10:33:19Z aaa group server tacacs+ https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084555#M215288 <P>aaa group server tacacs+ BILAL_TACACS+<BR /> server name DC1_BILALACS01<BR /> server name DC1_BILALACS02<BR /> server name DC1_BILALACS03<BR /> ip vrf forwarding mgmtVrf<BR /> ip tacacs source-interface FastEthernet1<BR />!<BR />aaa authentication login default group tacacs+ local<BR />aaa authentication login BILAL_TACACS+ group BILAL_TACACS+ group radius local<BR />aaa authentication enable default group BILAL_TACACS+ group tacacs+ enable line<BR />aaa authorization exec default group BILAL_TACACS+ local <BR />aaa authorization commands 15 default group BILAL_TACACS+ group tacacs+ local if-authenticated <BR />aaa accounting exec default start-stop group BILAL_TACACS+ group tacacs+<BR />aaa accounting exec BILAL_TACACS+ start-stop group tacacs+<BR />aaa accounting commands 15 default start-stop group BILAL_TACACS+ group tacacs+</P><P>!<BR />ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 10.10.10.10<BR />ip tacacs source-interface FastEthernet1<BR />!<BR />!<BR />tacacs server DC1_BILALACS01<BR /> address ipv4 172.25.24.151<BR /> key 7 xxxxxx<BR />tacacs server DC1_BILALACS02<BR /> address ipv4 172.25.24.152<BR /> key 7 xxxxxx<BR />tacacs server DC1_BILALACS03<BR /> address ipv4 172.25.24.153<BR /> key 7 xxxxxx<BR />!<BR />line con 0<BR /> exec-timeout 0 0<BR /> password 7 xxxxxx<BR /> login authentication BILAL_TACACS+<BR /> stopbits 1<BR />line vty 0 4<BR /> password 7 xxxxxx<BR /> login authentication BILAL_TACACS+<BR /> transport input ssh<BR />line vty 5 15<BR /> accounting commands 0 BILAL_TACACS+<BR /> accounting commands 15 BILAL_TACACS+<BR /> login authentication BILAL_TACACS+<BR /> transport input ssh</P> Thu, 20 Nov 2014 11:28:42 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084555#M215288 Bilal Nawaz 2014-11-20T11:28:42Z Thank you very much. In fact https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084556#M215291 <P>Thank you very much. In fact this is near of my configuration, so the problem is somewhere else.</P><P>Regards.</P> Thu, 20 Nov 2014 12:59:43 GMT https://community.cisco.com/t5/network-access-control/problems-with-tacacs-on-vrf/m-p/2084556#M215291 dfrenay_olabs 2014-11-20T12:59:43Z