08-02-2021 11:52 PM
Hello
So I'm able to request NTP through the mgmt-vrf with gig0/0 as the mgmt physical interface:
ntp source GigabitEthernet0/0
ntp server vrf Mgmt-vrf 10.12.17.20
ntp server vrf Mgmt-vrf 10.12.16.61
But it does not seem to allow TACACS or RADIUS through the mgmt-vrf:
DRF312cisco-WWW(config-server-tacacs)#address ipv4 10.12.12.45 ?
<cr> <cr>
DRF312cisco-WWW(config-server-tacacs)#address ipv4 10.12.12.45
No where does it allow me to add it to the Mgmt-vrf like NTP server.
Any thoughts on how to get it to ride on the mgmt-vrf? This is the only port I would like to touch the internal network. All other interfaces would be open to the public facing.
Thank you.
Solved! Go to Solution.
08-03-2021 02:08 AM
Hi there,
The option to specify the VRF can configured under the aaa server-group
! aaa group server tacacs+ FOO server-private 10.12.12.45 key foobar ip vrf forwarding mgmt-vrf ip tacacs source-interface gi0/0 !
cheers,
Seb.
08-04-2021 05:58 PM - edited 08-04-2021 06:04 PM
Hello
No its used to encrypt all crypto pre-shared keys, However it seems to also perfrom encryption on all other pwd's without applying the "old" service password-encryption feature, So in your case the local username type 9 secret will be the same and so should be the tacacs server key but you should see it apply encryption on your tacacs server type 6 key in the run config
08-03-2021 02:08 AM
Hi there,
The option to specify the VRF can configured under the aaa server-group
! aaa group server tacacs+ FOO server-private 10.12.12.45 key foobar ip vrf forwarding mgmt-vrf ip tacacs source-interface gi0/0 !
cheers,
Seb.
08-03-2021 02:28 AM
Thanks Seb - not sure how I missed this in the documentation - could I ask what document you saw this in? Was it the System management or Network management.
Much appreciated.
John
08-03-2021 03:41 AM
Hi John,
Take a look here:
cheers,
Seb.
08-04-2021 12:20 PM
Thanks Seb - how can we encrypt the password after the word key? If I use type 6 it is invalid. Would be nice to encrypt "foobar".
aaa group server tacacs+ ClearPass
server-private 10.120.0.85 key 9 foobar
server-private 10.12.16.137 key 9 foobar
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0
08-04-2021 03:44 PM
@JohnRosso3555 wrote:
how can we encrypt the password after the word key? If I use type 6 it is invalid. Would be nice to encrypt "foobar".
password encryption aes
key config-key password-encrypt
08-04-2021 04:27 PM
Hi Paul - being that these commands are global level, won't they overwrite the Type 9 passwords I have for local username and also for the enable secret. Currently I have these set:
enable secret 9 "encrypted password right here"
username hphnetadm secret 9 "encrypted password right here"
Thank you
John
08-04-2021 05:58 PM - edited 08-04-2021 06:04 PM
Hello
No its used to encrypt all crypto pre-shared keys, However it seems to also perfrom encryption on all other pwd's without applying the "old" service password-encryption feature, So in your case the local username type 9 secret will be the same and so should be the tacacs server key but you should see it apply encryption on your tacacs server type 6 key in the run config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide