Solved: Using mgmt interface Gi0/0 on 3850 switch with tacacs

darthnul · ‎01-18-2016

I'm configuring a new 3850 switch. I've never used the Gi0/0 management interface before. I'd like to use on this switch because I don't really need to do any layer three stuff on the switching ports.

I have logging, ntp and ssh working on Gi0/0 with the "Mgmt-vrf". I can log in with a local account but tacacs doesn't seem to be working with this vrf.

Is aaa/tacacs supported on this?

Masoud Pourshabanian · ‎01-18-2016

Hello,

Please take a look at link below. an example for tacacs over a management VRF

http://blog.monkeyrouter.com/2014/04/tacacs-over-management-vrf.html

Masoud

View solution in original post

Masoud Pourshabanian · ‎01-18-2016

Hello,

Please take a look at link below. an example for tacacs over a management VRF

http://blog.monkeyrouter.com/2014/04/tacacs-over-management-vrf.html

Masoud

Mark Malone · ‎01-18-2016

Hi Yes it is , did you make sure to have the acl on your vty as vrf also

EDIT

Also make sure you have this too

aaa group server tacacs+ SECURE
server-private X.X.X.X key *****
ip vrf forwarding Mgmt-vrf

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 X.X.X.X

darthnul · ‎01-18-2016

Thanks for the reply. I did have the vty stuff in there already. That's what allowed ssh to listen on the mgmt interface, but it would only let me authenticate against my emergency local account.

Strange that in all 2,424 pages of the 3850 "Consolidated Platform Configuration Guide", NONE of this is mentioned.

darthnul · ‎01-18-2016

Thank you Masoud! That did it.

...jgm

Masoud Pourshabanian · ‎01-18-2016

Glad it helped,

Masoud