02-20-2024 12:02 PM
Hello Guys
I have the following aaa configuration in my 2921 using tacacs in ISE
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
The configuration is fine and I can access with my credentials now I need to configure a interface that use VRF and also when I try to login with the IP with that interface I be able to do it using local user.... is there any way to do that???
Right now if I try to login using thath interface with vrf I able to login using aaa....
ip vrf mgmt
interface GigabitEthernet0/0
ip vrf forwarding mgmt
ip address 10.30.0.200 255.255.255.0
duplex auto
speed auto
ip route vrf mgmt 0.0.0.0 0.0.0.0 10.30.0.254
02-20-2024 12:15 PM
what is issue exactly ?
you can telnet to device using any interface regarding it in VRF or not
the AAA dont aware about the vrf of interface what is import is reachable
also make sure that you use interface to connect to aaa server that reachable by server
use the command to specify the interface
ip radius source-interface xxx
MHM
02-20-2024 12:19 PM
Hello I don't have any issue
I just need that when I try to loging using the IP addres 10.30.0.200 that is configued in the interface that use vrf the login be using local user..... If I try to login wit any other IP address configued in my 2921 the login be using aaa user
02-20-2024 12:29 PM - edited 02-20-2024 03:02 PM
please check below
Goodluck
MHM
02-20-2024 01:37 PM
This is what I have addedd
ip access-list extended Denegar
deny ip any 10.30.0.0 0.0.0.255 log
permit ip any any log
ip access-list extended Permitir
permit ip any 10.30.0.0 0.0.0.255 log
aaa authentication login MGMT local
line vty 0 4
access-class Denegar in
exec-timeout 15 0
transport input ssh
line vty 5 15
access-class Denegar in
exec-timeout 15 0
transport input ssh
line vty 16 20
access-class Permitir in
login authentication MGMT
rotary 1
transport input ssh
I don't understand very well what does rotary command.... but it's not working when I try to access 10.30.0.200 the connection refuse and I think it's for access list Denegar.... If I try to login using any other IP the loggin is successful
02-20-2024 02:57 PM - edited 02-20-2024 03:01 PM
Below Lab how I config two method and use rotary in vty
FIREND please notice this lab and in real device it can work or it can not please be careful when config device and if you can do lab by yourself test the command list below before apply it.
thanks a lot
Goodluck
MHM
R1#show run
R1#show running-config
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable password enable
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication login mgmt local
!
ip vrf mgmt
rd 1:1
!
username mgmt password 0 mgmt
!
!
interface FastEthernet0/0
ip vrf forwarding mgmt
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/1
ip address 200.0.0.1 255.255.255.0
speed auto
duplex auto
!
access-list 10 permit 200.0.0.0 0.0.0.255
access-list 20 permit 100.0.0.0 0.0.0.255
!
line con 0
exec-timeout 0 0
privilege level 15
password mhm
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
access-class 20 in vrf-also
login authentication mgmt
rotary 10
line vty 5 15
access-class 10 in
password mhm
rotary 1
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide