cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1713
Views
0
Helpful
6
Replies

ACS authentication across VPN tunnel

Maher Azem
Level 1
Level 1

We would like to enable ACS authentication to login to different routers (Cisco 881s) we got that are interconnecting with our WAN via VPN tunnels. We would like to avoid using public IP for the router to communicate and relay user/password info with the ACS server and rely on the server's private IP instead. The problem is that all the router's outside interfaces connect to the Internet using public IPs and when the router wants to communicate with the ACS server it will use its public-facing interface IP and that'll fail. We can ping the server obviously when we set the source to the internal LAN IP.

The question is is there a way to have the router communicate with ACS across the VPN tunnel using its private IP?

config being used and tested succesfully on local devices:

aaa new-model

tacacs-server host 10.x.x.x single-connection key xxxxxx

aaa authentication login tacacs-local group tacacs local

aaa authorization commands x tacacs-local group tacacs+ if-authenticated

aaa authorization exec tacacs-local group tacacs+ if-authenticated

privilege exec level x show

line vty 0 4

login authentication tacacs-local

authorization commands x tacacs-local

- Pinging ACS from the router (connecting to WAN via VPN) when using the router's public IP as a source address:

RT881#ping 10.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

- Pinging ACS from the router (connecting to WAN via VPN) when using the LAN's private IP as a source address:

RT881#ping 10.x.x.x source 10.x.x.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

Packet sent with a source address of 10.x.x.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms

Looking forward for your answers and suggestions.

Thanks, M.

1 Accepted Solution

Accepted Solutions

praprama
Cisco Employee
Cisco Employee

Hey Maher,

You can use the command "ip tacacs source-interface" or "ip radius source-interface" for your scenario.

Hope this helps!

Regards,

Prapanch

View solution in original post

6 Replies 6

andamani
Cisco Employee
Cisco Employee

Hey,

A topology will be appreciated..

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Here is the topology and no the query wasn't resolved.

topology_regionals.png

Hey,

I am not able to view it.

Regards,

Anisha

it works fine here. i think it is an issue on your computer.

praprama
Cisco Employee
Cisco Employee

Hey Maher,

You can use the command "ip tacacs source-interface" or "ip radius source-interface" for your scenario.

Hope this helps!

Regards,

Prapanch

The command above worked great. Also used it for tftp

this is resolved.

Thanks