cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

189
Views
0
Helpful
3
Replies
Beginner

4908G-L3 returns to AAA with different interface than logged in

Simple problem (yeah right): I have a 4908G-L3 router configured with two actual interfaces (no HSRP) to my networking core and a whole truckload of other interfaces and subinterfaces for my distribution and access layers (all of them HSRP). I have registered the device as a NAS in ACS 3.1 using one of the two actual interfaces to my networking core. When I now configure AAA on the router it is being ignored and won't work. Checking on the AAA server I find out that the router is trying to perform AAA using every interface under the sun available to it in apparently random (or maybe variably load-balanced EIGRP-dependent) fashion. At about 40+ interfaces that gives me a 2.5% chance of actually getting a AAA response - not good. How can I force the router to perform AAA using the interface IP address that I used to telnet into the box? Any advice will be greatly appreciated!

3 REPLIES 3
Highlighted
Contributor

Re: 4908G-L3 returns to AAA with different interface than logged

Hi,

You can try the follwoing :

ip tacacs source-interface interface_name <--For tacacs+

ip radius souce-interface interface_name <--For Radius

interface_name should be replaced by the interface that you want to souce the AAA packet from the router.

I hope this helps ! Thanks,

Mynul

Highlighted
Beginner

Re: 4908G-L3 returns to AAA with different interface than logged

Thanks, but this works only if I that one interface is available - if it's down and I need to get into the router I am stuck with a serial cable. Is there some way to define a virtual interface on this box, like a loopback with an IP address, that I could use to register this NAS in ACS?

Highlighted
Contributor

Re: 4908G-L3 returns to AAA with different interface than logged

Hi,

Yes, it is possible to create a loop back and then use that loop back address to source the radius/tacacs packets. But, pl. make sure that the loopback is reachable to ACS server. Thanks,

Mynul