Re: TACACS authentication over the VPN tunnel - How To? - Page 2

evguenipesliak · ‎05-08-2008

Hi all,

There are multiple examples on how to setup TACACS autentication/authorization on the PIXs, but they all seem to use local ACS (on the inside interface of the PIX). What if we have ACS on a remote site and have to send AAA requests across the VPN tunnel? Is this supported by Cisco? Should I still use: "aaa-server TACACS (inside)..." or is it considered to be on an outside interface? Any examples out there? Same question for the ASA appliance (8.0(3)).

THank you,

Evgueni

grimish.patel · ‎01-18-2011

Hi,

Have a ASA 5510 running 8.2(4) code. I have a site-to-site VPN of which this ASA is the remote end. I'm trying to tunnel NTP, and Authentication traffic through the VPN tunnel but SSH in the the clear so both traffic types terminate and originate from the outside interfaces. The authentication method is TACACS at the moment and I've specified the outside interface for this.

So far I can't seem to get this working; any ideas?

grimish.patel · ‎09-29-2012

Update - got this working, by simply upgrading to v8.2(5). One thing left. How do I authenticate from a standby ASA acrossing the active VPN (I can't see how this is done, unless somehow the inside interfaces are used)

Terence Lockette · ‎02-27-2019

Mike,

I know this is a very old forum but I am having this same issue. However, I was able to get DHCP to work across the tunnel so local clients can pull DHCP across the tunnel. This only worked when I created an SVI for the VLAN in question and added the 'ip helper-address' command. I also had to make sure I was using a more specific network object instead of an all subnets object (0.0.0.0/0) for NAT exemption and the ACL for tunnel traffic. Once this was done, I was able to pull DHCP from the main DC.