Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4119
Views
5
Helpful
7
Replies

4948-10GE TACACS VRF Issue

taelon_x7
Level 1
Level 1

‎08-04-2011 06:37 PM - edited ‎03-07-2019 01:33 AM

Hello,

I am trying to setup the management vrf on the 4948 10GE so that my TACACS requests will use that vrf for out-of-band purposes. The vrf is working properly because I can ping the TACACS server using the vrf but the logins do not work. I see this error in the tacacs debug:

TPLUS(00000016)/0: Connect Error No route to host

Looking at the release notes, it states that my version (12.2.54 SG1) does support vrf aware tacacs but the documentation seems to be a bit off because i do not get a server private command option as stated in the configuration doc after configuring a tacacs server group:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/vrf.html#wp1084143

Here is my config:

ip vrf mgmtVrf

rd X:X

!

interface FastEthernet1

ip vrf forwarding mgmtVrf

ip address x.x.x.x

speed auto

duplex auto

!

ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 x.x.x.x

!

!

!

!

!

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key xxxx

!

Labels:
0 Helpful
7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

‎08-05-2011 06:41 AM

Hi,

Can you try adding the source command and test again?

ip tacacs source-interface FastEthernet1

HTH
0 Helpful

taelon_x7
Level 1
Level 1
In response to Reza Sharifi

‎08-05-2011 07:02 AM

I am sorry, that command is in my configuration but I missed it when posting to the forum.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to taelon_x7

‎08-05-2011 07:39 AM

Have you configured AAA group?

Configuring Per VRF on a TACACS+ Server

Before configuring per VRF on a TACACS+ server, you must have configured  AAA and a server group. Then you are ready to create the VRF routing  table, as shown in Steps 3 and 4 of the DETAILED STEPS table below. At  that point, you need to configure the interface, which is shown in Steps  6, 7, and 8 of the table. The actual configuration of per VRF on a  TACACS+ server is configured in Steps 10 through 13 of the table.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_pvt.html#wp1050994

0 Helpful

taelon_x7
Level 1
Level 1
In response to Reza Sharifi

‎08-05-2011 07:55 AM

Yes, sure have.

0 Helpful

taelon_x7
Level 1
Level 1
In response to taelon_x7

‎09-12-2011 07:55 AM

BUMP.

Does anyone have a guess as to why this is not working? i am thinking that this feature is not valid for the 4948 10GE.

ipetrashkevich
Level 1
Level 1
In response to taelon_x7

‎10-01-2012 03:04 AM

you have to define a new group with vrf capabilities and announce it in aaa statement

example:

aaa group server tacacs+ mgmtVrfTac

server-private key 7 ********

ip vrf forwarding mgmtVrf

ip tacacs source-interface FastEthernet1

aaa authentication login default group mgmtVrfTac line

aaa authorization exec default group mgmtVrfTac none

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni

‎12-04-2012 03:06 AM

Restrictions for Per VRF AAA

This feature is supported only for RADIUS servers.

Operational parameters should be defined once per VRF rather than set per server group, because all functionalities must be consistent between the network access server (NAS) and the AAA servers.

The ability to configure a customer template either locally or remotely is available only for Cisco IOS Release 12.2(15)T and later releases.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftvrfaaa.html#wp1049186

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card