Re: Per vrf tacacs+ question

rmedvedev · ‎04-01-2011

Hi all!
For management purposes I use aaa on tacacs server x.x.x.x
Now I want to make users in specific vrf to use their own aaa server y.y.y.y. for management,
and leave the possibility for users in the global routing table to use their own.
Is this possible and will it work in the following configuration?

aaa authentication login default group tacacs+ group test_tacacs local
aaa authorization exec default group tacacs+ group test_tacacs local

interface Loopback0
ip address l0.l0.l0.l0 255.255.255.255

interface Loopback1
ip vrf forwarding test_vrf
ip address l1.l1.l1.l1 255.255.255.255

aaa group server tacacs+ test_tacacs
      server-private y.y.y.y single-connection key ***
      ip vrf forwarding test_vrf
      ip tacacs source-interface Loopback1

ip tacacs source-interface Loopback0
tacacs-server host x.x.x.x single-connection key ***

andamani · ‎04-01-2011

Hi,

The configuration seems good.

The following link gives per-vrf configuration:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_pvt.html

Hope this helps.

Regards,
Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

rmedvedev · ‎04-05-2011

It seems it does not work this way. Regardless of the VRF from which a request comes in the algorithm anyway tries all the methods sequentially.

And I see no way how to separate login aaa depending on the vrf-source. If it was something like aaa authentication login ..., then I think the issue would be resolved.