Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4451
Views
25
Helpful
5
Replies

3650 management interface aaa authentication

Go to solution
harolddauncey
Level 1
Level 1

‎10-29-2015 02:49 PM - edited ‎03-08-2019 02:29 AM

Hello everyone! 

I am having a really odd issue while attempting to setup some 3650s. We would like to use these switches as dmz/ external switches for layer 2 distribution of Internet and dmz vlans. We are trying to set up management access on the management interface and can't get aaa to work.  We use a simple radius server config for authorization but it just will not work. Called tac and after hours, they said that aaa auth isn't supported on mgmt interface because the interface has to belong to the mgmt-vrf. For some reason I have a hard time believing this. Has anyone else run into this problem? Also what about tacacs? Is that also a limitation on the management interface?  

Thanks for any and all help!!!

Harold 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Reza Sharifi

‎10-30-2015 04:08 AM

What your doing will work as we have it setup , all our mgmt traffic is segragated as best practice these days , ios-xe and ns-ox are all set like this now for mgmt traffic to isolate it through vrf

dont forget your default route as well for the MGMT interface

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 x.x.x.x

interface GigabitEthernet0/0
 description ** Network Managment Interface **
 vrf forwarding Mgmt-vrf
 ip address x.x.x.x 255.255.255.0

aaa authentication login default group xxxx+ local enable
aaa authentication enable default group xxxx+ enable
aaa authorization exec default group xxxx+ local
aaa accounting exec default start-stop group xxxx+


aaa group server tacacs+ xxxx+
 server x.x.x.x
 ip vrf forwarding Mgmt-vrf

vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family

and if you want other MGMT traffic like NTP you source from the vrf

ntp source GigabitEthernet0/0

ntp server vrf Mgmt-vrf x.x.x.x

View solution in original post

5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎10-29-2015 05:48 PM

Hi Harold,

What TAC told you is correct.  If you are trying to use the out-of-band management interface of the switch, it has to be in mgmt-vrf. If you have extra regular ports, you can use any of them and use it as a management port.

HTH

0 Helpful

Go to solution
harolddauncey
Level 1
Level 1
In response to Reza Sharifi

‎10-29-2015 06:21 PM

I understand that it has to be in the mgmt vrf. I'm just confused if you can or can't perform tacacs or aaa over the interface. Isn't it a little odd that on a management port you can't do management tasks using such technologies as tacacs or radius aaa? 

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to harolddauncey

‎10-29-2015 06:45 PM

For tacacs try smoething like this

aaa group server tacacs+
 server-private xx.xx.xx.xx key 7 13472043243F332638261863263652
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface GigabitEthernet0/0

HTH

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Reza Sharifi

‎10-30-2015 04:08 AM

What your doing will work as we have it setup , all our mgmt traffic is segragated as best practice these days , ios-xe and ns-ox are all set like this now for mgmt traffic to isolate it through vrf

dont forget your default route as well for the MGMT interface

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 x.x.x.x

interface GigabitEthernet0/0
 description ** Network Managment Interface **
 vrf forwarding Mgmt-vrf
 ip address x.x.x.x 255.255.255.0

aaa authentication login default group xxxx+ local enable
aaa authentication enable default group xxxx+ enable
aaa authorization exec default group xxxx+ local
aaa accounting exec default start-stop group xxxx+


aaa group server tacacs+ xxxx+
 server x.x.x.x
 ip vrf forwarding Mgmt-vrf

vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family

and if you want other MGMT traffic like NTP you source from the vrf

ntp source GigabitEthernet0/0

ntp server vrf Mgmt-vrf x.x.x.x

Go to solution
harolddauncey
Level 1
Level 1
In response to Mark Malone

‎10-30-2015 03:00 PM

Awesome! That was it. Cleaned out all of the aaa config and used this example. Works like a charm. Thanks so much for the great info! 

0 Helpful
Customers Also Viewed These Support Documents