08-04-2011 06:37 PM - edited 03-07-2019 01:33 AM
Hello,
I am trying to setup the management vrf on the 4948 10GE so that my TACACS requests will use that vrf for out-of-band purposes. The vrf is working properly because I can ping the TACACS server using the vrf but the logins do not work. I see this error in the tacacs debug:
TPLUS(00000016)/0: Connect Error No route to host
Looking at the release notes, it states that my version (12.2.54 SG1) does support vrf aware tacacs but the documentation seems to be a bit off because i do not get a server private command option as stated in the configuration doc after configuring a tacacs server group:
Here is my config:
ip vrf mgmtVrf
rd X:X
!
interface FastEthernet1
ip vrf forwarding mgmtVrf
ip address x.x.x.x
speed auto
duplex auto
!
ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 x.x.x.x
!
!
!
!
!
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key xxxx
!
08-05-2011 06:41 AM
Hi,
Can you try adding the source command and test again?
ip tacacs source-interface FastEthernet1
HTH
08-05-2011 07:02 AM
I am sorry, that command is in my configuration but I missed it when posting to the forum.
08-05-2011 07:39 AM
Have you configured AAA group?
Before configuring per VRF on a TACACS+ server, you must have configured AAA and a server group. Then you are ready to create the VRF routing table, as shown in Steps 3 and 4 of the DETAILED STEPS table below. At that point, you need to configure the interface, which is shown in Steps 6, 7, and 8 of the table. The actual configuration of per VRF on a TACACS+ server is configured in Steps 10 through 13 of the table.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_pvt.html#wp1050994
08-05-2011 07:55 AM
Yes, sure have.
09-12-2011 07:55 AM
BUMP.
Does anyone have a guess as to why this is not working? i am thinking that this feature is not valid for the 4948 10GE.
10-01-2012 03:04 AM
you have to define a new group with vrf capabilities and announce it in aaa statement
example:
aaa group server tacacs+ mgmtVrfTac
server-private
ip vrf forwarding mgmtVrf
ip tacacs source-interface FastEthernet1
aaa authentication login default group mgmtVrfTac line
aaa authorization exec default group mgmtVrfTac none
12-04-2012 03:06 AM
Restrictions for Per VRF AAA
•This feature is supported only for RADIUS servers.
•Operational parameters should be defined once per VRF rather than set per server group, because all functionalities must be consistent between the network access server (NAS) and the AAA servers.
•The ability to configure a customer template either locally or remotely is available only for Cisco IOS Release 12.2(15)T and later releases.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftvrfaaa.html#wp1049186
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide