VRF and TACACS

cassinhee · ‎11-20-2006

Our management network is via VRF, the ip addess of the ACS also exists in the VRF. After the configuration, the ACS seems doesnt work and there is no reports on the ACS. Below is the configuration. Your help is appreciated!

client: int vlan 10

ip add 192.168.1.233

ip vrf forwarding Virtual

aaa authentication login new group tacacs+ local

aaa authorization exec new group tacacs+ local

aaa authorization commands 15 new group tacacs+ local

ip tacacs source-interface vlan 10

tacacs-server host 192.168.1.240

tacacs-server key key

lin vty 0 4

authorization commands 15 new

authorization exec new

login authentication new

I can ping from the source interface to the ACS via VRF.

Thank you!

a.kiprawih · ‎11-21-2006

Can you share the config?

Depending on your setup/design, pls check the following configig guide & sample for TACACS+ with VRF:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806996cc.html

HTH

AK

Peter_Setaffy · ‎09-22-2011

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_pvt.html

taelon_x7 · ‎09-22-2011

I have had problems with this in the past as well. Do a debug on the tacacs packets and see if it complains about not have a route to the host.

Some of the devices do not support different VRFs for TACACS and only use the global VRF.

Javier Henderson · ‎09-23-2011

Define a AAA server group, indicate to use the correct VRF, then reference that group in your authentication configuration.

For example:

tacacs-server host 10.1.2.3 key cisco123

aaa server group tacacs+ tac-servers

server 10.1.2.3

ip vrf forwarding mumble

ip tacacas source-interface vlan10

aaa authentication login default group tac-servers local