https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164218#M419058 <HTML><HEAD></HEAD><BODY><P>I believe there is a known issue with this setup and you might need to enter into server mode and then define the vrf forwarding interface something like this:</P><P></P><P>aaa group server tacacs+ TEST</P><P> server X.X.X.X</P><P> ip vrf forwarding LAN </P><P>!</P><P></P><P></P></BODY></HTML> Mon, 09 Feb 2009 18:12:56 GMT Ivan Martinon 2009-02-09T18:12:56Z https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164217#M419056 <P>Hi, </P><P></P><P>I have implemented the TACACS in VPN VRF environment but the same is not working, I am not able to route the ACS servers IP's through the VRF-VPN.</P><P></P><P></P><P> </P><P></P><P>Configuration pasted below</P><P>aaa authentication login default group tacacs+ line </P><P>aaa authentication login no_tacacs line </P><P>aaa authorization exec default group tacacs+ if-authenticated </P><P>aaa authorization commands 0 default group tacacs+ if-authenticated </P><P>aaa authorization commands 1 default group tacacs+ if-authenticated </P><P>aaa authorization commands 15 default group tacacs+ if-authenticated </P><P>aaa accounting exec default start-stop group tacacs+ </P><P>aaa accounting commands 0 default start-stop group tacacs+ </P><P>aaa accounting commands 1 default start-stop group tacacs+ </P><P>aaa accounting commands 15 default start-stop group tacacs+ </P><P>aaa accounting network default start-stop group tacacs+ </P><P>ip tacacs source-interface VLAN1 </P><P>tacacs-server host X.X.X.X </P><P>tacacs-server host 10.10.10.4 </P><P>tacacs-server key 7 ####################333 </P><P>tacacs-server administration </P><P></P><P></P><P>aaa group server tacacs+ tacacs1 </P><P>server-private 10.10.10.4 key ############ </P><P>ip vrf forwarding LAN </P><P>ip tacacs source-interface VLAN1 </P> Sun, 10 Mar 2019 23:19:49 GMT https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164217#M419056 dipumj 2019-03-10T23:19:49Z https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164218#M419058 <HTML><HEAD></HEAD><BODY><P>I believe there is a known issue with this setup and you might need to enter into server mode and then define the vrf forwarding interface something like this:</P><P></P><P>aaa group server tacacs+ TEST</P><P> server X.X.X.X</P><P> ip vrf forwarding LAN </P><P>!</P><P></P><P></P></BODY></HTML> Mon, 09 Feb 2009 18:12:56 GMT https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164218#M419058 Ivan Martinon 2009-02-09T18:12:56Z https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164219#M419060 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>Thanks you so much for your mail,</P><P>I have tried with this but still I am not able make it success</P><P></P><P>aaa group server tacacs+ tacacs1</P><P> server 10.10.10.14</P><P> server 10.10.10.45</P><P> ip vrf forwarding LAN</P><P> ip tacacs source-interface Vlan1</P><P></P><P>It showing authorisation failed when I try a new VTY session. </P><P></P></BODY></HTML> Tue, 10 Feb 2009 12:13:21 GMT https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164219#M419060 dipumj 2009-02-10T12:13:21Z https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164220#M419062 <HTML><HEAD></HEAD><BODY><P>You might need to get some debugs on this box as well as the failed logs from your TACACS server.</P></BODY></HTML> Tue, 10 Feb 2009 15:11:30 GMT https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164220#M419062 Ivan Martinon 2009-02-10T15:11:30Z https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164221#M419064 <HTML><HEAD></HEAD><BODY><P>Hi sorry for late reply.</P><P>Please find below the logs from the router</P><P>Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): free_rec, count 2</P><P>Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): Setting session id 283 : db=846968EC</P><P>Feb 12 14:10:28.748: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)</P><P>Feb 12 14:10:35.450: AAA/BIND(000000BA): Bind i/f </P><P>Feb 12 14:10:35.450: AAA/ACCT/EVENT/(000000BA): CALL START</P><P>Feb 12 14:10:35.450: Getting session id for NET(000000BA) : db=83E3E3B0</P><P>Feb 12 14:10:35.450: AAA/ACCT(00000000): add node, session 284</P><P>Feb 12 14:10:35.450: AAA/ACCT/NET(000000BA): add, count 1</P><P>Feb 12 14:10:35.450: Getting session id for NONE(000000BA) : db=83E3E3B0</P><P>Feb 12 14:10:36.014: AAA/AUTHEN/LOGIN (000000BA): Pick method list 'default' </P><P>Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): STOP protocol reply FAIL</P><P>Feb 12 14:10:38.749: AAA/ACCT(000000B9): Accouting method=NOT_SET</P><P>Feb 12 14:10:38.749: AAA/ACCT(000000B9): Send STOP accounting notification to EM successfully</P><P>Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): Tried all the methods, osr 0</P><P>Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) Record not present</P><P>Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) reccnt 2, csr FALSE, osr 0</P><P>Feb 12 14:10:46.011: AAA/AUTHEN/LINE(000000BA): GET_PASSWORD </P><P>Feb 12 14:11:14.326: AAA/AUTHOR: config command authorization not enabled</P><P>Feb 12 14:11:14.326: AAA/ACCT/CMD(000000B9): Pick method list 'default'</P><P>Feb 12 14:11:14.326: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83E2FF8C, Name default</P><P>Feb 12 14:11:14.330: Getting session id for CMD(000000B9) : db=846968EC</P><P>Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): add, count 3</P><P>Feb 12 14:11:14.330: AAA/ACCT/EVENT/(000000B9): COMMAND</P><P>Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 1</P><P>Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): free_rec, count 2</P><P>Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Setting session id 285 : db=846968EC</P><P>Feb 12 14:11:14.330: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)</P><P>Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Pick method list 'default'</P><P>Feb 12 14:11:16.642: AAA/ACCT/SETMLIST(000000BA): Handle 0, mlist 83E2FEEC, Name default</P><P>Feb 12 14:11:16.642: Getting session id for EXEC(000000BA) : db=83E3E3B0</P><P>Feb 12 14:11:16.642: AAA/ACCT(000000BA): add common node to avl failed</P><P>Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): add, count 2</P><P>Feb 12 14:11:16.642: AAA/ACCT/EVENT/(000000BA): EXEC DOWN</P><P>Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Accounting record not sent</P><P>Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): free_rec, count 1</P><P>Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA) reccnt 1, csr FALSE, osr 0</P><P>Feb 12 14:11:18.425: AAA/AUTHOR: config command authorization not enabled</P><P>Feb 12 14:11:18.425: AAA/ACCT/243(000000B9): Pick method list 'default'</P><P>Feb 12 14:11:18.425: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83144FF8, Name default</P><P>Feb 12 14:11:18.425: Getting session id for CMD(000000B9) : db=846968EC</P><P>Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): add, count 3</P><P>Feb 12 14:11:18.425: AAA/ACCT/EVENT/(000000B9): COMMAND</P><P>Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 2</P><P>Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): free_rec, count 2</P><P>Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Setting session id 286 : db=846968EC</P><P>Feb 12 14:11:18.429: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)</P><P>Feb 12 14:11:18.649: AAA/ACCT/EVENT/(000000BA): CALL STOP</P><P>Feb 12 14:11:18.649: AAA/ACCT/CALL STOP(000000BA): Sending stop requests</P><P>Feb 12 14:11:18.649: AAA/ACCT(000000BA): Send all stops</P><P>Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): STOP</P><P>Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Method list not found</P><P>Feb 12 14:11:18.649: AAA/ACCT(000000BA): del node, session 284</P><P>Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): free_rec, count 0</P><P>Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA) reccnt 0, csr TRUE, osr 0</P><P>Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Last rec in db, intf not enqueued</P></BODY></HTML> Thu, 12 Feb 2009 14:38:36 GMT https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164221#M419064 dipumj 2009-02-12T14:38:36Z https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164222#M419066 <HTML><HEAD></HEAD><BODY><P>aaa authentication login default group tacacs1 line </P><P>aaa authentication login no_tacacs line </P><P>aaa authorization exec default group tacacs1 if-authenticated </P><P>aaa authorization commands 0 default group tacacs1 if-authenticated </P><P>aaa authorization commands 1 default group tacacs1 if-authenticated </P><P>aaa authorization commands 15 default group tacacs1 if-authenticated </P><P>aaa accounting exec default start-stop group tacacs1 </P><P>aaa accounting commands 0 default start-stop group tacacs1 </P><P>aaa accounting commands 1 default start-stop group tacacs1 </P><P>aaa accounting commands 15 default start-stop group tacacs1 </P><P>aaa accounting network default start-stop group tacacs1 </P><P>ip tacacs source-interface VLAN1 </P><P></P><P></P><P>aaa group server tacacs+ tacacs1 </P><P>server-private 10.10.10.4 key ############ </P><P>ip vrf forwarding LAN </P><P>ip tacacs source-interface VLAN1 </P><P></P><P></P><P></P><P>Remove the config below:</P><P></P><P>tacacs-server host X.X.X.X </P><P>tacacs-server host 10.10.10.4 </P><P>tacacs-server key 7 ####################333 </P><P>tacacs-server administration </P></BODY></HTML> Thu, 07 May 2009 18:14:18 GMT https://community.cisco.com/t5/network-access-control/tacacs-not-working-need-help/m-p/1164222#M419066 smak74 2009-05-07T18:14:18Z