Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10399
Views
29
Helpful
5
Replies

TACACS auth on Mgmt interface

cheeseburger
Level 1
Level 1

‎12-14-2018 08:03 AM - edited ‎03-05-2019 11:06 AM

I'm having a really difficult time getting TACACS working on a new ASR1001x. 

 

I have the device cabled on the management interface and I can ping the TACACS server. Management interface is in the Mgmt-intf VRF. Here is a copy of my config, where am I wrong? I can SSH to the device and use local creds to gain access. 

 

aaa new-model
!
!
aaa group server tacacs+ TACACS1
server name DV-ACS-1
!
aaa authentication login default group TACACS1 local
aaa authorization exec default group TACACS1 local none
aaa authorization commands 15 default group TACACS1 local none
aaa accounting exec default start-stop group TACACS1
aaa accounting commands 15 default start-stop group TACACS1

 

interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.206.40.95 255.255.255.0
negotiation auto

 

tacacs server DV-ACS-1
address ipv4 10.162.0.11
key <key>
timeout 5

 

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.206.40.1
ip tacacs source-interface GigabitEthernet0

 

line vty 0 4
session-timeout 120
exec-timeout 120 0
transport input ssh
line vty 5 15
exec-timeout 120 0
privilege level 15
transport input ssh

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎12-14-2018 08:13 AM

I think that you probably need some like ip vrf forwarding vrf-name   under the tacacs server config.

 

HTH

 

Rick

HTH

Rick

cheeseburger
Level 1
Level 1

‎12-14-2018 08:48 AM

I found this link and basically copied it exactly and now it seems to be working. I guess I need this server-private ... anyway, maybe someone else will stumble across this post one day and see how to resolve the issue... 

 

http://blog.monkeyrouter.com/2014/04/tacacs-over-management-vrf.html

 

<--- Enable AAA --->
aaa new-model

<--- Create a AAA TACACS server goup --->
aaa group server tacacs+ [ACS_GROUP]
 server-private [TACACS_SERVER1] timeout 3 key [TACACS_KEY]
 server-private [TACACS_SERVER2] timeout 3 key [TACACS_KEY]
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface GigabitEthernet0/0

aaa authentication login default group [ACS_GROUP] local
aaa authentication login console group [ACS_GROUP] local
aaa authorization console
aaa authorization exec default group [ACS_GROUP]
aaa accounting exec default start-stop group [ACS_GROUP]
aaa accounting commands 1 default start-stop group [ACS_GROUP]
aaa accounting commands 15 default start-stop group [ACS_GROUP]
aaa accounting connection default start-stop group [ACS_GROUP]
aaa accounting system default start-stop group [ACS_GROUP]

<--- Send TACACS traffic to the Mgmt interface --->
ip tacacs source-interface GigabitEthernet0/0

Richard Burts
Hall of Fame
Hall of Fame
In response to cheeseburger

‎12-14-2018 09:56 AM

Thanks for the update. It is good to know that you found a link with a helpful example and that your configuration is now working. And thanks for sharing the link.

 

HTH

 

Rick

HTH

Rick

The_B
Level 1
Level 1
In response to cheeseburger

‎05-05-2020 05:47 PM

Thank you so much for posting this!  This worked for my 9800 WLC!!!  TAC couldn't even help me on this!

Extremely appreciative!!!

 

 

 

0 Helpful

BlackSharpie
Level 1
Level 1

‎09-07-2022 12:54 PM

Another THANK YOU for posting this! This resolved my issue as well on 9200 & 9300 switches.

It seems that the monkeyrouter.com blog is now defunct, but the configuration commands above are accurate.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card