12-06-2012 05:32 AM - edited 03-07-2019 10:25 AM
Hi,
We've configured TACACS authentication for most of the our network equipment. We've configured a physical interface for the ip tacacs soure-interface <source interface> command
Just an observation: I've noticed when logging in, after I've configured the TACACS source interface, it doesn't matter which ip address that is configured on the device I use to log in. I still get through using TACACS. Which is fine.
We've configured AAA to fallback to local if TACACS fails.
My question is this:
If the interface that I have configured as the ip tacacs source-interface goes down, will TACACS fail and fall back to the local password?
Or, will I still be able to get in using other addresses on the device?
Thanks you, Pat.
12-06-2012 06:02 AM
Hello Patrick,
>>Or, will I still be able to get in using other addresses on the device?
I would say the device will try to use a different source IP address if available.
For this reason the tacacs source interface should be:
a loopback interface on routers published in the routing domain
an SVI on a multilayer switch.
to ensure consistency.
fallback to local username/password pair should happen only when communication with the Tacacs server fails. At least this was I have seen on some AAA tests I did some years ago
Edit:
if the network device switches to a different source IP address it may be seen as an unknown device on the tacacs server as in the server the device object is defined with the IP address.
So consistency is important.
see
>>Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses
So I would suggest to review your choices of the tacacs source interface
Hope to help
Giuseppe
12-06-2012 06:16 AM
Pat,
As Giuseppe also noted, it will use another interface as the source. You will not loose connectivity to the TACACS, because the source interface is down.
Applying the source interface for SSH, telnet, etc.. is a security measurement
Here I have source interfcae for telnet of 200.200.200.200 coming from a switch to a router:
R1#sh users
Line User Host(s) Idle Location
* 66 vty 0 idle 00:00:00 200.200.200.200
Interface User Mode Idle Peer Address
now I go back to the switch and delete the source, I can still login but the source is the SVI on the switch
R1#exit
[Connection to 20.20.20.1 closed by foreign host]
Sw1#config t
Enter configuration commands, one per line. End with CNTL/Z.
Sw1(config)#no ip telnet source-interface loopback 200
Sw1(config)#^Z
Sw1#tel 20.20.20.1
*Mar 6 21:12:39.285: %SYS-5-CONFIG_I: Configured from console by console
Trying 20.20.20.1 ... Open
User Access Verification
Password:
R1>en
Password:
R1#sh user
R1#sh users
Line User Host(s) Idle Location
* 66 vty 0 idle 00:00:00 20.20.20.3
Interface User Mode Idle Peer Address
R1#
Form the command reference guide:
Use this command to set a subinterface's IP address for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
http://www.cisco.com/en/US/docs/ios/12_1/security/command/reference/srdtacs.html#wp1017795
HTH
Reza
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide