Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7286
Views
20
Helpful
5
Replies

TACACS issue with IOS-XE on ISR4431

Go to solution
Craddockc
Level 3
Level 3

‎09-19-2017 10:36 AM - edited ‎03-08-2019 12:05 PM

Community,

 

Im trying to get an IOS-XE router to use TACACS+ for login authentication but im having trouble doing so. I have a strong feeling that it has to do with the vrf instance "Mgmt-intf" but cant figure out how to make it work. I want the interface Gig0 which is in the vrf instance Mgmt-intf to be the source interface for the TACACS requests. I have double checked the keys and I know the config is correct in Cisco ACS. I can ping the ACS from the interface as shown:

 

QTS-BORDER-1A#ping vrf Mgmt-intf 10.134.193.178
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.134.193.178, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 69/78/86 ms

 

My configs are as follows:

 

aaa new-model

aaa authentication login default group tacacs+ local 

vrf definition Mgmt-intf

!

interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.110.255.14 255.255.255.0
negotiation auto
no mop enabled

!

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.110.255.18
ip tacacs source-interface GigabitEthernet0

!

tacacs server TACACS+
address ipv4 10.134.193.178
key 7 104B0A0A0D1E022218222F3D0B3130212D1925130D37574D575A5A2C0A1F05510E

 

When I try to connect using my TACACS account it just says "access denied." 

 

QTS-BORDER-1A#show tacacs

Tacacs+ Server - public :
Server name: TACACS+
Server address: 10.134.193.178
Server port: 49
Socket opens: 2
Socket closes: 2
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0

 

Any suggestions? Thanks Everyone!

 

Chris.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PaulP
Level 1
Level 1
In response to Craddockc

‎09-19-2017 11:03 AM - edited ‎09-19-2017 11:06 AM

Have you tried configuring like this:

 

aaa group server tacacs+ tacacs1
    server-private 10.1.1.1 port 19 key cisco
    ip vrf forwarding MGMTxxxx
    ip tacacs source-interface Loopback0

As per  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-vrf-tacas-svrs.html

 

I hope it helps,

 

Paul

 

View solution in original post

5 Replies 5

Go to solution
Craddockc
Level 3
Level 3

‎09-19-2017 11:01 AM

As a follow up. I did a debug and found that the Router is stating the following: "Connect Error No route to host" Im almost certain this has to do with the vrf instance not having a route or something like that but am not sure how to correct it:

Sep 19 17:57:46.522: TPLUS: Queuing AAA Authentication request 63 for processing
Sep 19 17:57:46.522: TPLUS(0000003F) login timer started 1020 sec timeout
Sep 19 17:57:46.522: TPLUS: processing authentication start request id 63
Sep 19 17:57:46.522: TPLUS: Authentication start packet created for 63(ccraddock)
Sep 19 17:57:46.522: TPLUS: Using server 10.134.193.178
Sep 19 17:57:46.522: TPLUS(0000003F)/0: Connect Error No route to host
Sep 19 17:57:53.499: TPLUS: Queuing AAA Authentication request 63 for processing
Sep 19 17:57:53.499: TPLUS(0000003F) login timer started 1020 sec timeout
Sep 19 17:57:53.499: TPLUS: processing authentication start request id 63
Sep 19 17:57:53.499: TPLUS: Authentication start packet created for 63(ccraddock)
Sep 19 17:57:53.499: TPLUS: Using server 10.134.193.178
Sep 19 17:57:53.499: TPLUS(0000003F)/0: Connect Error No route to host
0 Helpful

Go to solution
PaulP
Level 1
Level 1
In response to Craddockc

‎09-19-2017 11:03 AM - edited ‎09-19-2017 11:06 AM

Have you tried configuring like this:

 

aaa group server tacacs+ tacacs1
    server-private 10.1.1.1 port 19 key cisco
    ip vrf forwarding MGMTxxxx
    ip tacacs source-interface Loopback0

As per  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-3s/sec-usr-tacacs-xe-3s-book/sec-vrf-tacas-svrs.html

 

I hope it helps,

 

Paul

 

Go to solution
Craddockc
Level 3
Level 3
In response to PaulP

‎09-19-2017 11:16 AM

Paul,

That did the trick! Apparently I have group the server into a separate aaa server group and then use the "ip vrf forwarding" command in the group. Im able to connect via TACACS+ now. Thanks!
0 Helpful

Go to solution
PaulP
Level 1
Level 1
In response to Craddockc

‎09-19-2017 01:00 PM - edited ‎09-19-2017 01:02 PM

Excellent. I am glad this has worked for you. 

 

0 Helpful

Go to solution
Suran Fernando
Level 1
Level 1
In response to PaulP

‎09-18-2019 06:32 AM

I had the same problem with ASR1001x, IOS asr1001x-universalk9.16.09.02.SPA.bin

Here is the correct config that worked. 

 

 

aaa group server tacacs+ xxxxxxx
server-private xxxxxxxxx key 7 xxxxx
server-private xxxxxxxxx key 7 xxxxx
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0

aaa authentication login default group xxxxxxx none
aaa authorization exec default group xxxxxxxxx none
aaa authorization commands 1 default group xxxxxxxxx none
aaa authorization commands 15 default group xxxxxxxxxx none
aaa accounting exec default start-stop group xxxxxxxxxxx none
aaa accounting commands 1 default start-stop group xxxxxxxxxxxxxx
aaa accounting commands 15 default start-stop group xxxxxxxxxxxxxxxx

Customers Also Viewed These Support Documents