Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3638
Views
10
Helpful
2
Replies

TACACS Source Interface

Patrick McHenry
Level 4
Level 4

‎12-06-2012 05:32 AM - edited ‎03-07-2019 10:25 AM

Hi,

We've configured TACACS authentication for most of the our network equipment. We've configured  a physical interface for the ip tacacs soure-interface <source interface> command

Just an observation:  I've noticed when logging in, after I've configured the TACACS source interface, it doesn't matter which ip address that is configured on the device I use to log in. I still get through using TACACS. Which is fine.

We've configured AAA to fallback to local if TACACS fails.

My question is this:

If  the interface that I have configured as the ip tacacs source-interface goes down, will TACACS fail and fall back to the local password?

Or, will I still be able to get in using other addresses on the device?

Thanks you, Pat.

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎12-06-2012 06:02 AM

Hello Patrick,

>>Or, will I still be able to get in using other addresses on the device?

I would say the device will try to use a different source IP address if available.

For this reason the tacacs source interface should be:

a loopback interface on routers published in the routing domain

an SVI on a multilayer switch.

to ensure consistency.

fallback to local username/password pair should happen only when communication with the Tacacs server fails. At least this was I have seen on some AAA tests I did some years ago

Edit:

if the network device switches to a different source IP address it may be seen as an unknown device on the tacacs server as in the server the device object is defined with the IP address.

So consistency is important.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#GUID-54A00318-CF69-46FC-9ADC-313BFC436713

>>Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses

So I would suggest to review your choices of the tacacs source interface

Hope to help

Giuseppe

Reza Sharifi
Hall of Fame
Hall of Fame

‎12-06-2012 06:16 AM

Pat,

As Giuseppe also noted, it will use another interface as the source.  You will not loose connectivity to the TACACS, because the source interface is down.

Applying the source interface for SSH, telnet, etc.. is a security measurement

Here I have source interfcae for telnet of 200.200.200.200 coming from a switch to a router:

R1#sh users

    Line       User       Host(s)              Idle       Location

* 66 vty 0                idle                 00:00:00 200.200.200.200

  Interface      User        Mode                     Idle     Peer Address

now I go back to the switch and delete the source, I can still login but the source is the SVI on the switch

R1#exit

[Connection to 20.20.20.1 closed by foreign host]

Sw1#config t     

Enter configuration commands, one per line.  End with CNTL/Z.

Sw1(config)#no  ip telnet source-interface loopback 200

Sw1(config)#^Z

Sw1#tel 20.20.20.1

*Mar  6 21:12:39.285: %SYS-5-CONFIG_I: Configured from console by console

Trying 20.20.20.1 ... Open

User Access Verification

Password:

R1>en

Password:

R1#sh user

R1#sh users

    Line       User       Host(s)              Idle       Location

* 66 vty 0                idle                 00:00:00 20.20.20.3

  Interface      User        Mode                     Idle     Peer Address

R1#

Form the command reference guide:

Usage Guidelines

Use this command to set a subinterface's IP address for all outgoing  TACACS+ packets. This address is used as long as the interface is in the  up state. In this way, the TACACS+ server  can use one IP address entry associated with the network access client  instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many  interfaces and you want to ensure that all TACACS+ packets from a  particular router have the same IP address.

The specified interface must have an IP address associated with it. If  the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

http://www.cisco.com/en/US/docs/ios/12_1/security/command/reference/srdtacs.html#wp1017795

HTH

Reza

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card