Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3388
Views
0
Helpful
1
Replies

3850 aaa using Mgmt-vrf

Go to solution
scottsassin
Level 1
Level 1

‎01-19-2017 04:49 PM - edited ‎03-11-2019 12:22 AM

I have a 3550 running the latest IOS, cat3k_caa-universalk9. I am having an issue getting aaa authentication working. Below is a copy of my config.

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login http local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa local authentication default authorization default
!
!
!
!
!
!
aaa session-id common
!
!
-----
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.226.96.190 255.255.255.0
negotiation auto
------------
ip route vrf Mgmt-vrf 10.0.0.0 255.0.0.0 10.226.96.1
ip tacacs source-interface GigabitEthernet0/0
------------
tacacs-server directed-request
tacacs server 10.226.96.253
 address ipv4 10.226.96.253
 key ****************
 timeout 5
 single-connection
tacacs server 10.226.96.254
 address ipv4 10.226.96.254
 key **************
 timeout 5
 single-connection
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-19-2017 07:54 PM

What is the issue you are seeing? Is the TACACS packet not reaching the server? Try setting it up using the "aaa group server tacacs+ [Group_Name]" instead of tacacs-server. You should be able to specify the vrf for the aaa servers using the "ip vrf forwarding command". Use the following doc as reference:

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/113667-ios-vrf-tshoot.html

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-19-2017 07:54 PM

What is the issue you are seeing? Is the TACACS packet not reaching the server? Try setting it up using the "aaa group server tacacs+ [Group_Name]" instead of tacacs-server. You should be able to specify the vrf for the aaa servers using the "ip vrf forwarding command". Use the following doc as reference:

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/113667-ios-vrf-tshoot.html

0 Helpful
Customers Also Viewed These Support Documents