cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
796
Views
0
Helpful
4
Replies
Beginner

ACS authentication across VPN tunnel

We would like to enable ACS authentication to login to different  routers (Cisco 881s) we got that are interconnecting with our WAN via  VPN tunnels. We would like to avoid using public IP for the router to  communicate and relay user/password info with the ACS server and rely on  the server's private IP instead. The problem is that all the router's  outside interfaces connect to the Internet using public IPs and when the  router wants to communicate with the ACS server it will use its  public-facing interface IP and that'll fail. We can ping the server  obviously when we set the source to the internal LAN IP.

The question is is there a way to have the router communicate with ACS across the VPN tunnel using its private IP?

config being used and tested succesfully on local devices:

aaa new-model

tacacs-server host 10.x.x.x single-connection key xxxxxx

aaa authentication login tacacs-local group tacacs local

aaa authorization config-commands

aaa authorization commands x tacacs-local group tacacs+ if-authenticated

aaa authorization exec tacacs-local group tacacs+ if-authenticated

privilege exec level x show

line vty 0 4

login authentication tacacs-local

authorization exec tacacs-local

authorization commands x tacacs-local

- Pinging ACS from the router (connecting to WAN via VPN) when using the router's public IP as a source address:

RT881#ping 10.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

- Pinging ACS from the router (connecting to WAN via VPN) when using the LAN's private IP as a source address:

RT881#ping 10.x.x.x source 10.x.x.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

Packet sent with a source address of 10.x.x.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms

Looking forward for your answers and suggestions.

Thanks, M.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: ACS authentication across VPN tunnel

Have you tried the command ip TACACS source-interface

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

View solution in original post

4 REPLIES 4
Highlighted
Advocate

ACS authentication across VPN tunnel

Add a "no-nat" acl to your config, with the src of the router and the dst of the ACS server.

Or try the below

tacacs-server host 10.x.x.x NAT single-connection key xxxxxx (this send the client request with the original source IP)

HTH>

Highlighted
Beginner

ACS authentication across VPN tunnel

i'll be testing this with TACACS this week but i am wondering if we can do the same with SYSLOG and TFTP where the router can use its LAN private IP as a source IP to send data via SYSLOG and TFTP thru the VPN tunnel.

Thanks,

Highlighted
Hall of Fame Master

Re: ACS authentication across VPN tunnel

Have you tried the command ip TACACS source-interface

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

View solution in original post

Highlighted
Beginner

ACS authentication across VPN tunnel

Perfect! this is the command i've been looking for. I also found the same for TFTP but not syslog though. any clue how to force the source address for syslog?

I just tested it with TFTP and it worked great.

Thanks Richard!

CreatePlease to create content