Re: Tacacs in VRF

ruifernando · ‎04-05-2023

I have Cisco ASR 1001 x with Software, Version 16.09.05, and i'm facing a tacacs problem using VRF
The configuration is as follows:

aaa group server tacacs+ Secure
server name MNG
server name MNG2
ip vrf forwarding OT-CCTV
ip tacacs source-interface TenGigabitEthernet0/0/0.4
!
aaa authentication login Secure group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local
aaa accounting commands 15 default start-stop group tacacs+

interface TenGigabitEthernet0/0/0.4
encapsulation dot1Q 4
vrf forwarding OT-CCTV
ip address 10.11.11.2 255.255.255.252
cdp enable

ip route vrf OT-CCTV 0.0.0.0 0.0.0.0 10.11.11.1

tacacs server MNG
address ipv4 10.10.10.125
key xxxxxxxxxxx
tacacs server MNG2
address ipv4 10.10.10.225
key xxxxxxxxxxx

line vty 0 4
access-class 7 in vrf-also
logging synchronous
login authentication Secure
transport input telnet ssh

Flavio Miranda · ‎04-05-2023

Hi

Which kind of tacacs problem ? Do you have reachability to tacacs serer going through vrf OT-CCTV ?

ruifernando · ‎04-05-2023

Hi Flavio,

Recently i had to move authentication to a VRF and since then the tacacs authentication stop working.

ruifernando · ‎04-05-2023

And, yes we have connection to the tacacs server.

MHM Cisco World · ‎04-05-2023

server-private <<- use server-private not server under server group

ruifernando · ‎04-06-2023

Hi MHM,

Tri that with same results....

MHM Cisco World · ‎04-09-2023

friend
aaa group server tacacs+ Secure
server-private name MNG <<- this Server must reachable via OT-CCTV VRF RIB
ip vrf forwarding OT-CCTV <<- this server group use VRF OT-CCTV
ip tacacs source-interface TenGigabitEthernet0/0/0.4 <<- the source of packet to Server must also in VRF OT-CCTV

are all above correct ? which one is not ??

Georg Pauwen · ‎04-05-2023

Hello,

I think you need to add the vrf to the source interface:

--> ip tacacs source-interface TenGigabitEthernet0/0/0.4 vrf OT-CCTV

ruifernando · ‎04-06-2023

Hi Georg,

Unfortunately the router doesn't have that command.
ip tacacs source-interface TenGigabitEthernet0/0/0.4 ?
<cr> <cr>

balaji.bandi · ‎04-06-2023

The high-level config looks ok - you mentioned you have reachability to TACACS also using VRF.

Recently i had to move authentication to a VRF and since then the tacacs authentication stop working. <<--- what you get client side when you try to connect to router? ( what Logs you see on router and TACACS side ?)

as i remember we had same issue on ASR - what you need to do, remove AAA config and Add VRF first then configured AAA config to work.

Restrictions for Per VRF for TACACS Servers

The VRF instance must be enabled globally on the router before per VRF for a TACACS+ server is configured.

Config reference -

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16-9/sec-usr-tacacs-xe-16-9-book/sec-vrf-tacas-svrs.html

also there some debug command if not working to identify the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ruifernando · ‎04-06-2023

Hi Balaji,

The VRF was configured first.
For test proposes i removed all Tacacs configuration and put it back again, with the same results.

balaji.bandi · ‎04-06-2023

Recently i had to move authentication to a VRF and since then the tacacs authentication stop working. <<--- what you get client side when you try to connect to router? ( what Logs you see on router and TACACS side ?)

debug command if not working to identify the issue <<-- have you done this ?

what TACACS server ? ( ISE / ACS ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎04-09-2023

Hello,

looking at various configuration examples, they all use a loopback interface as the source. Not sure if that makes a difference, but give the below a try:

interface Loopback0
ip address 10.0.0.2 255.0.0.0
ip vrf forwarding cisco

!

ip tacacs source-interface Loopback0