Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1044
Views
10
Helpful
7
Replies

CAT 9500-16x Gibraltar 16.12.4 and TACACS+

Go to solution
JohnRosso3555
Level 1
Level 1

‎08-02-2021 11:52 PM

Hello

 

So I'm able to request NTP through the mgmt-vrf with gig0/0 as the mgmt physical interface:

 

ntp source GigabitEthernet0/0
ntp server vrf Mgmt-vrf 10.12.17.20
ntp server vrf Mgmt-vrf 10.12.16.61

 

But it does not seem to allow TACACS or RADIUS through the mgmt-vrf:

DRF312cisco-WWW(config-server-tacacs)#address ipv4 10.12.12.45 ?
<cr> <cr>

DRF312cisco-WWW(config-server-tacacs)#address ipv4 10.12.12.45

 

 

No where does it allow me to add it to the Mgmt-vrf like NTP server.

 

Any thoughts on how to get it to ride on the mgmt-vrf? This is the only port I would like to touch the internal network. All other interfaces would be open to the public facing.

 

Thank you.

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎08-03-2021 02:08 AM

Hi there,

The option to specify the VRF can configured under the aaa server-group

!
aaa group server tacacs+ FOO
 server-private 10.12.12.45 key foobar
 ip vrf forwarding mgmt-vrf
 ip tacacs source-interface gi0/0
!

cheers,

Seb.

View solution in original post

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to JohnRosso3555

‎08-04-2021 05:58 PM - edited ‎08-04-2021 06:04 PM

Hello

No its used to encrypt all  crypto pre-shared keys, However it seems to also perfrom encryption on all other pwd's without applying the "old" service password-encryption feature, So in your case the local username type 9 secret will be the same and so should be the tacacs server key but you should see it apply encryption on your tacacs server type 6 key in the run config


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

7 Replies 7

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎08-03-2021 02:08 AM

Hi there,

The option to specify the VRF can configured under the aaa server-group

!
aaa group server tacacs+ FOO
 server-private 10.12.12.45 key foobar
 ip vrf forwarding mgmt-vrf
 ip tacacs source-interface gi0/0
!

cheers,

Seb.

0 Helpful

Go to solution
JohnRosso3555
Level 1
Level 1
In response to Seb Rupik

‎08-03-2021 02:28 AM

Thanks Seb - not sure how I missed this in the documentation - could I ask what document you saw this in? Was it the System management or Network management.

 

Much appreciated.

John

0 Helpful

Go to solution
JohnRosso3555
Level 1
Level 1
In response to Seb Rupik

‎08-04-2021 12:20 PM

Thanks Seb - how can we encrypt the password after the word key? If I use type 6 it is invalid. Would be nice to encrypt "foobar". 

 

aaa group server tacacs+ ClearPass
server-private 10.120.0.85 key 9 foobar
server-private 10.12.16.137 key 9 foobar
ip vrf forwarding Mgmt-vrf
ip tacacs source-interface GigabitEthernet0/0

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to JohnRosso3555

‎08-04-2021 03:44 PM

@JohnRosso3555 wrote:

 how can we encrypt the password after the word key? If I use type 6 it is invalid. Would be nice to encrypt "foobar".

password encryption aes
key config-key password-encrypt


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
JohnRosso3555
Level 1
Level 1
In response to paul driver

‎08-04-2021 04:27 PM

Hi Paul - being that these commands are global level, won't they overwrite the Type 9 passwords I have for local username and also for the enable secret. Currently I have these set:

 

enable secret 9 "encrypted password right here"

username hphnetadm secret 9 "encrypted password right here"

 

Thank you

John

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to JohnRosso3555

‎08-04-2021 05:58 PM - edited ‎08-04-2021 06:04 PM

Hello

No its used to encrypt all  crypto pre-shared keys, However it seems to also perfrom encryption on all other pwd's without applying the "old" service password-encryption feature, So in your case the local username type 9 secret will be the same and so should be the tacacs server key but you should see it apply encryption on your tacacs server type 6 key in the run config


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card