Per VRF Tacacs+ - not working

Dan Brook · ‎08-11-2014

I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.

I have the following configured:

aaa new-model
!
!
aaa group server tacacs+ MYGROUP
server-private 1.2.3.4 key cisco
ip vrf forwarding vpn_nms
ip tacacs source-interface Loopback100
!
aaa authentication login default local
aaa authentication login MYGROUP group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group MYGROUP if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
ip vrf forwarding
!
!
ip vrf vpn_nms
rd 65XXX:3
!

interface Loopback100
description NMS LOOPBACK
ip vrf forwarding vpn_nms
ip address 10.10.10.10 255.255.255.255

!

tacacs-server host 1.2.3.4
tacacs-server directed-request
tacacs-server key cisco

!

line con 0
privilege level 15
logging synchronous
login authentication MYGROUP
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication MYGROUP
length 0
transport input all

I know some of this config is redundant but I have been trying different things and getting nowhere.