Re: Authentication Inband and Outband 2921 using AAA

mdrangell22 · ‎02-20-2024

Hello Guys

I have the following aaa configuration in my 2921 using tacacs in ISE

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default stop-only group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

The configuration is fine and I can access with my credentials now I need to configure a interface that use VRF and also when I try to login with the IP with that interface I be able to do it using local user.... is there any way to do that???

Right now if I try to login using thath interface with vrf I able to login using aaa....

ip vrf mgmt

interface GigabitEthernet0/0
ip vrf forwarding mgmt
ip address 10.30.0.200 255.255.255.0
duplex auto
speed auto

ip route vrf mgmt 0.0.0.0 0.0.0.0 10.30.0.254

MHM Cisco World · ‎02-20-2024

what is issue exactly ?
you can telnet to device using any interface regarding it in VRF or not
the AAA dont aware about the vrf of interface what is import is reachable
also make sure that you use interface to connect to aaa server that reachable by server
use the command to specify the interface
ip radius source-interface xxx

MHM

mdrangell22 · ‎02-20-2024

Hello I don't have any issue

I just need that when I try to loging using the IP addres 10.30.0.200 that is configued in the interface that use vrf the login be using local user..... If I try to login wit any other IP address configued in my 2921 the login be using aaa user

MHM Cisco World · ‎02-20-2024

please check below
Goodluck

MHM

mdrangell22 · ‎02-20-2024

This is what I have addedd

ip access-list extended Denegar
deny ip any 10.30.0.0 0.0.0.255 log
permit ip any any log

ip access-list extended Permitir
permit ip any 10.30.0.0 0.0.0.255 log

aaa authentication login MGMT local

line vty 0 4
access-class Denegar in
exec-timeout 15 0
transport input ssh
line vty 5 15
access-class Denegar in
exec-timeout 15 0
transport input ssh
line vty 16 20
access-class Permitir in
login authentication MGMT
rotary 1
transport input ssh

I don't understand very well what does rotary command.... but it's not working when I try to access 10.30.0.200 the connection refuse and I think it's for access list Denegar.... If I try to login using any other IP the loggin is successful

MHM Cisco World · ‎02-20-2024

Below Lab how I config two method and use rotary in vty
FIREND please notice this lab and in real device it can work or it can not please be careful when config device and if you can do lab by yourself test the command list below before apply it.
thanks a lot

Goodluck

MHM

R1#show run
R1#show running-config
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable password enable
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication login mgmt local
!
ip vrf mgmt
rd 1:1
!
username mgmt password 0 mgmt
!
!
interface FastEthernet0/0
ip vrf forwarding mgmt
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/1
ip address 200.0.0.1 255.255.255.0
speed auto
duplex auto
!
access-list 10 permit 200.0.0.0 0.0.0.255
access-list 20 permit 100.0.0.0 0.0.0.255
!
line con 0
exec-timeout 0 0
privilege level 15
password mhm
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
access-class 20 in vrf-also
login authentication mgmt
rotary 10
line vty 5 15
access-class 10 in
password mhm
rotary 1
!
!
end