Re: TACACS groups in different VRF

peter.matuska1 · ‎11-24-2020

Hi,

does cisco support multiple tacacs groups on the switch and every tacacs group is in different vrf (different IP addresses).

thank you

balaji.bandi · ‎11-24-2020

Not sure what is the device IOS running here

here is example : is this helps you ?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-vrf-tacas-svrs.html#:~:text=The%20Per%20VRF%20for%20TACACS%2B,(AAA)%20on%20TACACS%2B%20servers.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

peter.matuska1 · ‎11-24-2020

Hi, the doc mentions only 1 vrf. My goal is to have VRF ONE and configured TAC1 tacacs group inside this VRF. Then I wan to have VRF TWO and TAC2 tacacs group inside this VRF. So if all ports in vrf ONE are down, I will be able to login to the device using TAC2 in vrf TWO. I haven't tried to configure it yet, it it just theoretical question.

balaji.bandi · ‎11-24-2020

I have not deployed also tested, as perr the document itself says per VRF. the example give single

you can have more tacacs defined with respect VRF should work.

Nice questions - Nice its time for Lab list for me added

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎11-25-2020

Yes configuring different aaa groups in different VRFs is supported. However, I did not see this as a very common configuration. Typically you would want to configure the redundancy on the aaa server side, for example, you would have two different RADIUS or TACACS servers, and on the NAD you configure both of them under the same aaa group. But if you want to configure different aaa groups in different VRFs then what you need to do is just to issue the command ip vrf forwarding <the VRF name> under each respective group.