[c-nsp] VRF and Tacas

Wed Mar 16 17:41:05 EDT 2011

If I remember right under the tacacs server configuration you need to tell
it to use the vrf.  This might be under the server group also.
On Mar 16, 2011 5:34 PM, "Judith Sanders" <jasanders at ptci.com> wrote:
> I am trying to configure my ASR 1006 to use TACACS+ via my vrf interface,
which is my gigabitethernet 0 interface. We use this only for management. I
can ping the TAC server from my vrf, but it will not authenticate against
it. Here is what I have-
>
> interface GigabitEthernet0
> vrf forwarding Mgmt-intf
> ip address 192.x.x.x x.x.x.x
> negotiation auto
>
> aaa authentication login default group tacacs+ local
> aaa authorization exec default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
>
> ip tacacs source-interface GigabitEthernet0
> tacacs-server host 172.x.x.x
> tacacs-server host 172.x.x.x
> tacacs-server directed-request
> tacacs-server key x.x.x.x
>
> I can ping the TAC server from my vrf- and here are my debugs-I am not
successful.
>
>
> Mar 16 14:52:20: TPLUS: processing authentication start request id 606
> Mar 16 14:52:20: TPLUS: Authentication start packet created for
606(jasanders)
> Mar 16 14:52:20: TPLUS: Using server 172.16.1.124
> Mar 16 14:52:20: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:25: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:25: TPLUS: Choosing next server 172.16.1.134
> Mar 16 14:52:25: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:25: TPLUS(0000025E)/4DB519C0: releasing old socket 0
> Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up
> Mar 16 14:52:30: TPLUS(0000025E)/1/4DB519C0: Processing the reply packet
> Mar 16 14:52:38: TPLUS: Queuing AAA Authentication request 606 for
processing
> Mar 16 14:52:38: TPLUS: processing authentication start request id 606
> Mar 16 14:52:38: TPLUS: Authentication start packet created for
606(jasanders)
> Mar 16 14:52:38: TPLUS: Using server 172.16.1.124
> Mar 16 14:52:38: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:43: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:43: TPLUS: Choosing next server 172.16.1.134
> Mar 16 14:52:43: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:43: TPLUS(0000025E)/4DB519C0: releasing old socket 0
> Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up
>
>
>
> Thanks,
> Judith Sanders
> Pioneer Telephone
> Inside Plant Networking Services
> jasanders at ptci.com
>
>
>
>
> ***************************
> This email message and any files transmitted with it are intended solely
> for the use of the individual or entity for whom it is addressed. It
> may contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender and destroy all paper and
> electronic copies of this message and its contents. Any unauthorized
> review, use, disclosure or distribution of this email or any file
> attachments is strictly prohibited.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/