topic What is the issue you are in Network Access Control https://community.cisco.com/t5/network-access-control/3850-aaa-using-mgmt-vrf/m-p/3028098#M24371 <P>What is the issue you are seeing? Is the TACACS packet not reaching the server? Try setting it up using the "aaa group server tacacs+ [Group_Name]" instead of tacacs-server. You should be able to specify the vrf for the aaa servers using the "ip vrf forwarding command". Use the following doc as reference:</P> <P>http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/113667-ios-vrf-tshoot.html</P> <P></P> Fri, 20 Jan 2017 03:54:31 GMT Rahul Govindan 2017-01-20T03:54:31Z 3850 aaa using Mgmt-vrf https://community.cisco.com/t5/network-access-control/3850-aaa-using-mgmt-vrf/m-p/3028097#M24367 <P>I have a 3550 running the latest IOS, cat3k_caa-universalk9. I am having an issue getting aaa authentication working. Below is a copy of my config.</P> <DIV><SPAN class="ansi0 bgAnsi15">aaa new-model</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">!</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">!</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa authentication login default group tacacs+ local</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa authentication login http local</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa authentication enable default group tacacs+ enable</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa authorization exec default group tacacs+ local </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa authorization commands 15 default group tacacs+ if-authenticated </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa authorization network default group tacacs+ local </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa accounting exec default start-stop group tacacs+</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa accounting commands 1 default stop-only group tacacs+</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa accounting commands 15 default start-stop group tacacs+</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa accounting network default start-stop group tacacs+</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa accounting connection default start-stop group tacacs+</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa accounting system default start-stop group tacacs+</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa local authentication default authorization default</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">! </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">! </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">! </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">! </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">! </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">! </SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">aaa session-id common</SPAN><SPAN> </SPAN></DIV> <DIV>!</DIV> <DIV>!</DIV> <DIV>-----</DIV> <DIV> <DIV><SPAN class="ansi0 bgAnsi15">interface GigabitEthernet0/0</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15"> vrf forwarding Mgmt-vrf</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15"> ip address 10.226.96.190 255.255.255.0</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15"> negotiation auto</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN></SPAN></DIV> <DIV><SPAN>------------</SPAN></DIV> <DIV> <DIV><SPAN class="ansi0 bgAnsi15">ip route vrf Mgmt-vrf 10.0.0.0 255.0.0.0 10.226.96.1</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">ip tacacs source-interface GigabitEthernet0/0</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15"></SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">------------</SPAN></DIV> <DIV> <DIV><SPAN class="ansi0 bgAnsi15">tacacs-server directed-request</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">tacacs server 10.226.96.253</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;address ipv4 10.226.96.253</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;key&nbsp;****************</SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;timeout 5</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;single-connection</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">tacacs server 10.226.96.254</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;address ipv4 10.226.96.254</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;key **************</SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;timeout 5</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN class="ansi0 bgAnsi15">&nbsp;single-connection</SPAN><SPAN> </SPAN></DIV> <DIV><SPAN></SPAN></DIV> <DIV><SPAN></SPAN></DIV> </DIV> <DIV><SPAN></SPAN></DIV> <DIV><SPAN></SPAN></DIV> </DIV> </DIV> Mon, 11 Mar 2019 07:22:53 GMT https://community.cisco.com/t5/network-access-control/3850-aaa-using-mgmt-vrf/m-p/3028097#M24367 scottsassin 2019-03-11T07:22:53Z What is the issue you are https://community.cisco.com/t5/network-access-control/3850-aaa-using-mgmt-vrf/m-p/3028098#M24371 <P>What is the issue you are seeing? Is the TACACS packet not reaching the server? Try setting it up using the "aaa group server tacacs+ [Group_Name]" instead of tacacs-server. You should be able to specify the vrf for the aaa servers using the "ip vrf forwarding command". Use the following doc as reference:</P> <P>http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/113667-ios-vrf-tshoot.html</P> <P></P> Fri, 20 Jan 2017 03:54:31 GMT https://community.cisco.com/t5/network-access-control/3850-aaa-using-mgmt-vrf/m-p/3028098#M24371 Rahul Govindan 2017-01-20T03:54:31Z