12-14-2018 08:03 AM - edited 03-05-2019 11:06 AM
I'm having a really difficult time getting TACACS working on a new ASR1001x.
I have the device cabled on the management interface and I can ping the TACACS server. Management interface is in the Mgmt-intf VRF. Here is a copy of my config, where am I wrong? I can SSH to the device and use local creds to gain access.
aaa new-model
!
!
aaa group server tacacs+ TACACS1
server name DV-ACS-1
!
aaa authentication login default group TACACS1 local
aaa authorization exec default group TACACS1 local none
aaa authorization commands 15 default group TACACS1 local none
aaa accounting exec default start-stop group TACACS1
aaa accounting commands 15 default start-stop group TACACS1
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.206.40.95 255.255.255.0
negotiation auto
tacacs server DV-ACS-1
address ipv4 10.162.0.11
key <key>
timeout 5
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.206.40.1
ip tacacs source-interface GigabitEthernet0
line vty 0 4
session-timeout 120
exec-timeout 120 0
transport input ssh
line vty 5 15
exec-timeout 120 0
privilege level 15
transport input ssh
12-14-2018 08:13 AM
I think that you probably need some like ip vrf forwarding vrf-name under the tacacs server config.
HTH
Rick
12-14-2018 08:48 AM
I found this link and basically copied it exactly and now it seems to be working. I guess I need this server-private ... anyway, maybe someone else will stumble across this post one day and see how to resolve the issue...
http://blog.monkeyrouter.com/2014/04/tacacs-over-management-vrf.html
<--- Enable AAA --->
aaa new-model
<--- Create a AAA TACACS server goup --->
aaa group server tacacs+ [ACS_GROUP]
server-private [TACACS_SERVER1] timeout 3 key [TACACS_KEY]
server-private [TACACS_SERVER2] timeout 3 key [TACACS_KEY]
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0
aaa authentication login default group [ACS_GROUP] local
aaa authentication login console group [ACS_GROUP] local
aaa authorization console
aaa authorization exec default group [ACS_GROUP]
aaa accounting exec default start-stop group [ACS_GROUP]
aaa accounting commands 1 default start-stop group [ACS_GROUP]
aaa accounting commands 15 default start-stop group [ACS_GROUP]
aaa accounting connection default start-stop group [ACS_GROUP]
aaa accounting system default start-stop group [ACS_GROUP]
<--- Send TACACS traffic to the Mgmt interface --->
ip tacacs source-interface GigabitEthernet0/0
12-14-2018 09:56 AM
Thanks for the update. It is good to know that you found a link with a helpful example and that your configuration is now working. And thanks for sharing the link.
HTH
Rick
05-05-2020 05:47 PM
Thank you so much for posting this! This worked for my 9800 WLC!!! TAC couldn't even help me on this!
Extremely appreciative!!!
09-07-2022 12:54 PM
Another THANK YOU for posting this! This resolved my issue as well on 9200 & 9300 switches.
It seems that the monkeyrouter.com blog is now defunct, but the configuration commands above are accurate.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: