11-20-2006 08:42 AM - edited 03-10-2019 02:51 PM
Our management network is via VRF, the ip addess of the ACS also exists in the VRF. After the configuration, the ACS seems doesnt work and there is no reports on the ACS. Below is the configuration. Your help is appreciated!
client: int vlan 10
ip add 192.168.1.233
ip vrf forwarding Virtual
aaa authentication login new group tacacs+ local
aaa authorization exec new group tacacs+ local
aaa authorization commands 15 new group tacacs+ local
ip tacacs source-interface vlan 10
tacacs-server host 192.168.1.240
tacacs-server key key
lin vty 0 4
authorization commands 15 new
authorization exec new
login authentication new
I can ping from the source interface to the ACS via VRF.
Thank you!
11-21-2006 02:00 AM
Can you share the config?
Depending on your setup/design, pls check the following configig guide & sample for TACACS+ with VRF:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806996cc.html
HTH
AK
09-22-2011 04:45 AM
09-22-2011 08:50 AM
I have had problems with this in the past as well. Do a debug on the tacacs packets and see if it complains about not have a route to the host.
Some of the devices do not support different VRFs for TACACS and only use the global VRF.
09-23-2011 06:47 AM
Define a AAA server group, indicate to use the correct VRF, then reference that group in your authentication configuration.
For example:
tacacs-server host 10.1.2.3 key cisco123
aaa server group tacacs+ tac-servers
server 10.1.2.3
ip vrf forwarding mumble
ip tacacas source-interface vlan10
aaa authentication login default group tac-servers local
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide