Re: 4908G-L3 returns to AAA with different interface than logged

schm196 · ‎06-16-2003

Simple problem (yeah right): I have a 4908G-L3 router configured with two actual interfaces (no HSRP) to my networking core and a whole truckload of other interfaces and subinterfaces for my distribution and access layers (all of them HSRP). I have registered the device as a NAS in ACS 3.1 using one of the two actual interfaces to my networking core. When I now configure AAA on the router it is being ignored and won't work. Checking on the AAA server I find out that the router is trying to perform AAA using every interface under the sun available to it in apparently random (or maybe variably load-balanced EIGRP-dependent) fashion. At about 40+ interfaces that gives me a 2.5% chance of actually getting a AAA response - not good. How can I force the router to perform AAA using the interface IP address that I used to telnet into the box? Any advice will be greatly appreciated!

mhoda · ‎06-16-2003

Hi,

You can try the follwoing :

ip tacacs source-interface interface_name <--For tacacs+

ip radius souce-interface interface_name <--For Radius

interface_name should be replaced by the interface that you want to souce the AAA packet from the router.

I hope this helps ! Thanks,

Mynul

schm196 · ‎06-17-2003

Thanks, but this works only if I that one interface is available - if it's down and I need to get into the router I am stuck with a serial cable. Is there some way to define a virtual interface on this box, like a loopback with an IP address, that I could use to register this NAS in ACS?

mhoda · ‎06-19-2003

Hi,

Yes, it is possible to create a loop back and then use that loop back address to source the radius/tacacs packets. But, pl. make sure that the loopback is reachable to ACS server. Thanks,

Mynul

4908G-L3 returns to AAA with different interface than logged in