04-05-2023 08:14 AM
I have Cisco ASR 1001 x with Software, Version 16.09.05, and i'm facing a tacacs problem using VRF
The configuration is as follows:
aaa group server tacacs+ Secure
server name MNG
server name MNG2
ip vrf forwarding OT-CCTV
ip tacacs source-interface TenGigabitEthernet0/0/0.4
!
aaa authentication login Secure group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local
aaa accounting commands 15 default start-stop group tacacs+
interface TenGigabitEthernet0/0/0.4
encapsulation dot1Q 4
vrf forwarding OT-CCTV
ip address 10.11.11.2 255.255.255.252
cdp enable
ip route vrf OT-CCTV 0.0.0.0 0.0.0.0 10.11.11.1
tacacs server MNG
address ipv4 10.10.10.125
key xxxxxxxxxxx
tacacs server MNG2
address ipv4 10.10.10.225
key xxxxxxxxxxx
line vty 0 4
access-class 7 in vrf-also
logging synchronous
login authentication Secure
transport input telnet ssh
04-05-2023 08:26 AM
Hi
Which kind of tacacs problem ? Do you have reachability to tacacs serer going through vrf OT-CCTV ?
04-05-2023 08:31 AM
Hi Flavio,
Recently i had to move authentication to a VRF and since then the tacacs authentication stop working.
04-05-2023 08:44 AM
And, yes we have connection to the tacacs server.
04-05-2023 09:03 AM
server-private <<- use server-private not server under server group
04-06-2023 12:22 AM
Hi MHM,
Tri that with same results....
04-09-2023 12:10 PM
friend
aaa group server tacacs+ Secure
server-private name MNG <<- this Server must reachable via OT-CCTV VRF RIB
ip vrf forwarding OT-CCTV <<- this server group use VRF OT-CCTV
ip tacacs source-interface TenGigabitEthernet0/0/0.4 <<- the source of packet to Server must also in VRF OT-CCTV
are all above correct ? which one is not ??
04-05-2023 11:25 PM
Hello,
I think you need to add the vrf to the source interface:
--> ip tacacs source-interface TenGigabitEthernet0/0/0.4 vrf OT-CCTV
04-06-2023 12:25 AM
Hi Georg,
Unfortunately the router doesn't have that command.
ip tacacs source-interface TenGigabitEthernet0/0/0.4 ?
<cr> <cr>
04-06-2023 01:06 AM
The high-level config looks ok - you mentioned you have reachability to TACACS also using VRF.
Recently i had to move authentication to a VRF and since then the tacacs authentication stop working. <<--- what you get client side when you try to connect to router? ( what Logs you see on router and TACACS side ?)
as i remember we had same issue on ASR - what you need to do, remove AAA config and Add VRF first then configured AAA config to work.
The VRF instance must be enabled globally on the router before per VRF for a TACACS+ server is configured.
Config reference -
also there some debug command if not working to identify the issue.
04-06-2023 06:56 AM
Hi Balaji,
The VRF was configured first.
For test proposes i removed all Tacacs configuration and put it back again, with the same results.
04-06-2023 09:09 PM
Recently i had to move authentication to a VRF and since then the tacacs authentication stop working. <<--- what you get client side when you try to connect to router? ( what Logs you see on router and TACACS side ?)
debug command if not working to identify the issue <<-- have you done this ?
what TACACS server ? ( ISE / ACS ?)
04-09-2023 12:25 PM
Hello,
looking at various configuration examples, they all use a loopback interface as the source. Not sure if that makes a difference, but give the below a try:
interface Loopback0
ip address 10.0.0.2 255.0.0.0
ip vrf forwarding cisco
!
ip tacacs source-interface Loopback0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide