Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7386
Views
6
Helpful
12
Replies

Problems with TACACS+ on VRF

Bilal Nawaz
VIP Alumni
VIP Alumni

‎12-04-2012 12:46 AM - edited ‎03-10-2019 07:51 PM

Hello there,

I've configured a management VRF and am trying to get tacacs+ to work. I have done some debugging but I've come to the point where I don't know what I can do more/cant see where im going wrong. bnawaz is my tacacs enabled account and admin is a local account.

Below is debug out put and config

1w2d: TPLUS: Queuing AAA Authentication request 103 for processing

1w2d: TPLUS: processing authentication start request id 103

1w2d: TPLUS: Authentication start packet created for 103(bnawaz)

1w2d: TPLUS: Using server 172.25.25.153

1w2d: TPLUS(00000067)/0: Connect Error No route to host

1w2d: TPLUS: Choosing next server 172.25.25.154

1w2d: TPLUS(00000067)/0: Connect Error No route to host

1w2d: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type radius (UNKNOWN)

1w2d: TPLUS: Queuing AAA Authentication request 103 for processing

1w2d: TPLUS: processing authentication start request id 103

1w2d: TPLUS: Authentication start packet created for 103(bnawaz)

1w2d: TPLUS: Using server 172.25.25.153

1w2d: TPLUS(00000067)/0: Connect Error No route to host

1w2d: TPLUS: Choosing next server 172.25.25.154

1w2d: TPLUS(00000067)/0: Connect Error No route to host

1w2d: TPLUS: Queuing AAA Authentication request 103 for processing

1w2d: TPLUS: processing authentication start request id 103

1w2d: TPLUS: Authentication start packet created for 103(bnawaz)

1w2d: TPLUS: Using server 172.25.25.153

1w2d: TPLUS(00000067)/0: Connect Error No route to host

1w2d: TPLUS: Choosing next server 172.25.25.154

1w2d: TPLUS(00000067)/0: Connect Error No route to host

1w2d: TPLUS: Queuing AAA Authentication request 103 for processing

1w2d: TPLUS: processing authentication start request id 103

1w2d: TPLUS: Authentication start packet created for 103(bnawaz)

1w2d: TAC+: Using default tacacs server-group "tacacs+" list.

1w2d: TAC+: Opening TCP/IP to 172.25.25.153/49 timeout=5

1w2d: TAC+: TCP/IP open to 172.25.25.153/49 failed -- Destination unreachable; gateway or host down

1w2d: TAC+: Opening TCP/IP to 172.25.25.154/49 timeout=5

1w2d: TAC+: TCP/IP open to 172.25.25.154/49 failed -- Destination unreachable; gateway or host down

1w2d: TPLUS: Queuing AAA Accounting request 101 for processing

1w2d: TPLUS: processing accounting request id 101

1w2d: TPLUS: Sending AV task_id=250

1w2d: TPLUS: Sending AV timezone=GMT

1w2d: TPLUS: Sending AV service=shell

1w2d: TPLUS: Sending AV priv-lvl=15

1w2d: TPLUS: Sending AV cmd=show running-config <cr>

1w2d: TPLUS: Accounting request created for 101(admin)

1w2d: TPLUS: Using server 172.25.25.153

1w2d: TPLUS(00000065)/0: Connect Error No route to host

1w2d: TPLUS: Choosing next server 172.25.25.154

1w2d: TPLUS(00000065)/0: Connect Error No route to host

aaa new-model

!

!

aaa group server tacacs+ TACACS+

server-private 172.25.25.153 key 7 120D55421A5A0E05262A343C6325

server-private 172.25.25.154 key 7 09581E5C11541513070D143E7B34

ip vrf forwarding MANAGEMENT

ip tacacs source-interface Vlan500

!

aaa authentication login TACACS+ group tacacs+ group radius local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!        

ip vrf MANAGEMENT

rd 99:500

!

interface Vlan500

ip vrf forwarding MANAGEMENT

ip address 172.25.99.4 255.255.255.240

!        

no ip http server

no ip http secure-server

!

!        

ip route vrf MANAGEMENT 0.0.0.0 0.0.0.0 172.25.99.1 [THE DEFAULT GW]

!

line vty 0 4

login authentication FOS_TACACS+

transport input ssh

line vty 5 15

login authentication FOS_TACACS+

transport input ssh

!

end

DMZ-3560-2#ping vrf MANAGEMENT 172.25.25.153

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.25.25.153, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
1 person had this problem
Labels:
0 Helpful
12 Replies 12

jw.sl9
Level 1
Level 1

‎12-05-2012 06:02 PM

Try this:

aaa group server tacacs+ TACACS+
  server-private 172.25.25.153 key 7 120D55421A5A0E05262A343C6325
  server-private 172.25.25.154 key 7 09581E5C11541513070D143E7B34
  ip vrf forwarding MANAGEMENT
  ip tacacs source-interface Vlan500
!
ip radius source-interface Vlan500

!

So add it in global config as well.

BTW: what device/IOS version are you running?         


I hope you find this information useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.
-James

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to jw.sl9

‎12-06-2012 12:33 AM

Hi James,

Switch Ports Model              SW Version            SW Image                

------ ----- -----              ----------            ----------              

*    1 26    WS-C3560-24TS      15.0(2)SE             C3560-IPSERVICESK9-M    

I tried the ip radius source-interface command, but unfortunately didnt work. I read somewhere that it may be trying to use the global routing table hence the "Connect Error No route to host" output from the debug. Perhaps a limitation? not sure?

Used the global routing table without VRF and it works fine.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

kcnajaf
Level 7
Level 7
In response to Bilal Nawaz

‎12-06-2012 03:02 AM

Hi Bilal,

Your configuration looks fine. I think this is a issue with the IOS. I have another work around which you could try to fix this. Try putting a static route on the global routing table for the ACS ip address and point it towards the VRF interface as the exit interface. You are basically fooling the router here by offering a route for ACS on the global routing table. A typical static route would be as below.

ip route 172.25.25.153 255.255.255.255 where x.x.x.x is router interface ip address which is part of your VRF named MANAGMENT

Give a try and let us know how it goes.

Regards

Najaf

Please rate when applicable or helpful !!!

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to kcnajaf

‎12-06-2012 03:38 AM

Hello Najaf,

I also tried static default routes to the gateway as well as static routes towards both ACS servers but still didnt seem to work.

In terms of tacacs, the global routing table wouldn't know about the VRF network nor the interface.

i.e when doing a show ip route (when you have a vrf) no routes are displayed of connected interfaces or networks which is expected....

ip route 172.25.25.153 255.255.255.255 vlan500 didn't work too.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

kcnajaf
Level 7
Level 7
In response to Bilal Nawaz

‎12-06-2012 04:04 AM

Hi Bilal,

Could you provide the Show ip route output from global routing table and vrf table? Also you where able to ping the acs servers after adding the static route with all other configuration intact (configuration exactly same as what you have initially posted.

Regards

Najaf

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to kcnajaf

‎12-06-2012 05:46 AM

Even if I change the "ip route 172.25.25.153 255.255.255.255 172.25.99.1" to

172.25.25.153 255.255.255.255 172.25.99.4

Still doesn't work.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

kcnajaf
Level 7
Level 7
In response to Bilal Nawaz

‎12-06-2012 10:53 AM

Hi Bilal,

Try applying the static route as

ip route 172.25.25.153 255.255.255.255 Vlan500 172.25.99.1

and verify if the rotue is coming in the global routing table.

If it showing up on the routing table try enabling the debug which you have enabled on the initial post and verify if you are getting the same message.

Regards

Najaf

0 Helpful

aleksander.olsen
Level 1
Level 1

‎02-18-2014 12:59 PM

Hi

Anyone ever found a way to make this work without using the global routing table as the "management vrf" ?

I have the same routing issues as the OP describes. Same config. Same debug output. Tried to use the vlan interface as source interface as well as a loopback in the management vrf.

c3750e-universalk9-mz.122-58.SE2.bin but I also experience this with other IOS versions on switches running management in a vrf.

Am I required to configure an RD for the vrf the ip tacacs source-interface is using or is it not needed? Right now its just .

Thanks


Regards

Aleksander

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to aleksander.olsen

‎05-24-2014 06:00 AM

I have indeed found a way to make this work (with some assistance). It works out that the aaa commands need to reference the TACACS+ group itself, not just default tacacs+ servers defined.

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

dfrenay_olabs
Level 1
Level 1
In response to Bilal Nawaz

‎11-20-2014 02:33 AM

Hi,

 

I have the same problem on an 6503-E (s3223-advipservicesk9_wan-mz.122-33.SXH3a.bin). The configuration with VRF on another 6509-E works but on this model, it not works (I ping the tacacs server with the VRF). Can you detail the way that you found ( the commands ?).

 

Thank you.

Regards.

 

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to dfrenay_olabs

‎11-20-2014 03:28 AM

aaa group server tacacs+ BILAL_TACACS+
 server name DC1_BILALACS01
 server name DC1_BILALACS02
 server name DC1_BILALACS03
 ip vrf forwarding mgmtVrf
 ip tacacs source-interface FastEthernet1
!
aaa authentication login default group tacacs+ local
aaa authentication login BILAL_TACACS+ group BILAL_TACACS+ group radius local
aaa authentication enable default group BILAL_TACACS+ group tacacs+ enable line
aaa authorization exec default group BILAL_TACACS+ local 
aaa authorization commands 15 default group BILAL_TACACS+ group tacacs+ local if-authenticated 
aaa accounting exec default start-stop group BILAL_TACACS+ group tacacs+
aaa accounting exec BILAL_TACACS+ start-stop group tacacs+
aaa accounting commands 15 default start-stop group BILAL_TACACS+ group tacacs+

!
ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 10.10.10.10
ip tacacs source-interface FastEthernet1
!
!
tacacs server DC1_BILALACS01
 address ipv4 172.25.24.151
 key 7 xxxxxx
tacacs server DC1_BILALACS02
 address ipv4 172.25.24.152
 key 7 xxxxxx
tacacs server DC1_BILALACS03
 address ipv4 172.25.24.153
 key 7 xxxxxx
!
line con 0
 exec-timeout 0 0
 password 7 xxxxxx
 login authentication BILAL_TACACS+
 stopbits 1
line vty 0 4
 password 7 xxxxxx
 login authentication BILAL_TACACS+
 transport input ssh
line vty 5 15
 accounting commands 0 BILAL_TACACS+
 accounting commands 15 BILAL_TACACS+
 login authentication BILAL_TACACS+
 transport input ssh

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

dfrenay_olabs
Level 1
Level 1
In response to Bilal Nawaz

‎11-20-2014 04:59 AM

Thank you very much. In fact this is near of my configuration, so the problem is somewhere else.

Regards.

0 Helpful
Customers Also Viewed These Support Documents