Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
5
Helpful
6
Replies

TACACS compatibility with VRF lite

hinkle
Level 1
Level 1

‎07-12-2004 05:25 AM

We have command authorization using TACACS currently deployed network wide. We are begining to deploy routers using VRF lite and within 6 months will deploy full MPLS over a metro-wide fiber network. TACACS is currently not supported using VRF instances and Radius does not support command authorization. My questions is what does Cisco recommend as an alternative? Does anyone else have a similar situation and/or solution?

Thanks in advance........

Labels:
0 Helpful
6 Replies 6

Harold Ritter
Cisco Employee
Cisco Employee

‎07-12-2004 06:50 AM

It seems like TACACS+ per VRF is what you are looking for.

Hope this helps,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

hinkle
Level 1
Level 1
In response to Harold Ritter

‎07-12-2004 08:47 AM

Your right, that is the most logical answer: however, in our test environment, the IP VRF command is not present when we configure TACACS+. The following is our testing setup:

2651 runing IOS version 12.2.15ZJ5

1 frame circuit with 2 PVCs

2 FastEthernet interfaces

2 vrf instances, each with one PVC and 1 FastE

aaa group server radius radius1

server-private 10.x.x.x (etc)

ip vrf forwarding inside<<<<<<<<<<<<<<<<<<<<<<<<

ip radius source-interface Loopback0

The same "aaa group" command using TACACS does not include the "ip vrf forwarding" statement.(***see below***)

***************************************************

rel2651(config-sg-tacacs+)#?

TACACS+ Server-group commands:

default Set a command to its defaults

exit Exit from TACACS+ server-group confguration mode

no Negate a command or set its defaults

server Specify a TACACS server

rel2651(config-sg-tacacs+)#

**************************************************

Is this an IOS specific issue?

Glenn

andy.waldwyn
Level 1
Level 1
In response to hinkle

‎08-04-2004 11:51 PM

Hi,

I think 12.3.7T will get you out of jail. This includes ip vrf forwarding within a tacacs group.

Hope this helps

Andy

0 Helpful

hinkle
Level 1
Level 1
In response to andy.waldwyn

‎08-05-2004 03:59 AM

Thanks Andy,

I'll check it out. Our local Cisco rep was little help on this issue, maybe it has never come up before.

0 Helpful

danne
Level 1
Level 1
In response to andy.waldwyn

‎09-24-2004 05:32 AM

Do you know if this also works with a Cat 3550 which we run VRF lite in - is there a SW that will enable this support ?

0 Helpful

hinkle
Level 1
Level 1
In response to danne

‎09-27-2004 04:25 AM

Danne,

I searched the feature navigator ( cisco.com/go/fn ) and there are only 3 IOS versions listed, none of which show support for the 3550. I wanted to use a 2651xm and it is not supported by one of these either. I needed the command level authorization TACACS gave me but it seems that Radius is the only AAA method Cisco is supporting when using VRF lite.

Some other gotcha's include DLSW and TFTP (Gee,wonder what we use that for???)

Luck to you,

0 Helpful
Customers Also Viewed These Support Documents