[c-nsp] VRF and Tacas

cisconsp at SecureObscure.com cisconsp at SecureObscure.com
Wed Mar 16 17:54:59 EDT 2011 

This is how we templated it:

Note the use of server-private, with ip vrf forwarding and ip tacacs source
interface under the aaa group server block.

!TEMPLATE: Standard_AAA_IOS VERSION 2.1
#
#$USE_VRF "Management VRF" "Does this device use a VRF for management?"
select "no yes"
#IF $USE_VRF "yes"
#$MANAGEMENT_VRF "Management VRF Name" "Name of the VRF used for management"
text ""
#ENDIF
#$MANAGEMENT_INTERFACE "Management Interface Name" "The name of the
interface used for management" text ""
#
!
! Standard AAA Template For Cisco IOS
!
aaa new-model
username neteng privilege 15 secret 5 $1$ABCDEFGHIJKLMNOPQ
!
aaa group server tacacs+ AAA_GROUP_NETADMIN
  server-private 10.42.124.21 timeout 10 key 7 00552332577758365B714257
  server-private 10.19.124.21 timeout 10 key 7 00552332577758365B714257
#IF $USE_VRF "yes"
  ip vrf forwarding $MANAGEMENT_VRF
#ENDIF
  ip tacacs source-interface $MANAGEMENT_INTERFACE
!Authentication
aaa authentication login default local
aaa authentication login AAA_AUTH_NETADMIN group AAA_GROUP_NETADMIN local
!Authorization, do not apply without network connectivity!
aaa authorization exec default group AAA_GROUP_NETADMIN local
if-authenticated
aaa authorization commands 1 default group AAA_GROUP_NETADMIN none
aaa authorization commands 15 default group AAA_GROUP_NETADMIN none
!aaa authorization config-commands
aaa authorization network default none
!Accounting
aaa accounting exec default start-stop group AAA_GROUP_NETADMIN
aaa accounting commands 1 default start-stop group AAA_GROUP_NETADMIN
aaa accounting commands 15 default start-stop group AAA_GROUP_NETADMIN
aaa accounting network default start-stop group AAA_GROUP_NETADMIN
aaa accounting connection default start-stop group AAA_GROUP_NETADMIN
aaa accounting system default start-stop group AAA_GROUP_NETADMIN
login on-failure log
login on-success log
!Line Config, Console
line con 0
  exec-timeout 60 0
  login authentication AAA_AUTH_NETADMIN
  transport preferred none
!Line Config, VTY-SSH
line vty 0 15
 !access-class ACL_PERMIT_ADMIN in
  exec-timeout 60 0
  login authentication AAA_AUTH_NETADMIN
  transport input ssh
  transport preferred none
service tcp-keepalives-in
service tcp-keepalives-out

!Cryptographic Features
ip domain-name net.domain.com
ip ssh version 2
crypto key generate rsa general modulus 1024


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Evans
Sent: Wednesday, March 16, 2011 4:41 PM
To: Judith Sanders
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRF and Tacas

If I remember right under the tacacs server configuration you need to tell
it to use the vrf.  This might be under the server group also.
On Mar 16, 2011 5:34 PM, "Judith Sanders" <jasanders at ptci.com> wrote:
> I am trying to configure my ASR 1006 to use TACACS+ via my vrf interface,
which is my gigabitethernet 0 interface. We use this only for management. I
can ping the TAC server from my vrf, but it will not authenticate against
it. Here is what I have-
>
> interface GigabitEthernet0
> vrf forwarding Mgmt-intf
> ip address 192.x.x.x x.x.x.x
> negotiation auto
>
> aaa authentication login default group tacacs+ local
> aaa authorization exec default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
>
> ip tacacs source-interface GigabitEthernet0
> tacacs-server host 172.x.x.x
> tacacs-server host 172.x.x.x
> tacacs-server directed-request
> tacacs-server key x.x.x.x
>
> I can ping the TAC server from my vrf- and here are my debugs-I am not
successful.
>
>
> Mar 16 14:52:20: TPLUS: processing authentication start request id 606
> Mar 16 14:52:20: TPLUS: Authentication start packet created for
606(jasanders)
> Mar 16 14:52:20: TPLUS: Using server 172.16.1.124
> Mar 16 14:52:20: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:25: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:25: TPLUS: Choosing next server 172.16.1.134
> Mar 16 14:52:25: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:25: TPLUS(0000025E)/4DB519C0: releasing old socket 0
> Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up
> Mar 16 14:52:30: TPLUS(0000025E)/1/4DB519C0: Processing the reply packet
> Mar 16 14:52:38: TPLUS: Queuing AAA Authentication request 606 for
processing
> Mar 16 14:52:38: TPLUS: processing authentication start request id 606
> Mar 16 14:52:38: TPLUS: Authentication start packet created for
606(jasanders)
> Mar 16 14:52:38: TPLUS: Using server 172.16.1.124
> Mar 16 14:52:38: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:43: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:43: TPLUS: Choosing next server 172.16.1.134
> Mar 16 14:52:43: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:43: TPLUS(0000025E)/4DB519C0: releasing old socket 0
> Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up
>
>
>
> Thanks,
> Judith Sanders
> Pioneer Telephone
> Inside Plant Networking Services
> jasanders at ptci.com
>
>
>
>
> ***************************
> This email message and any files transmitted with it are intended solely
> for the use of the individual or entity for whom it is addressed. It
> may contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender and destroy all paper and
> electronic copies of this message and its contents. Any unauthorized
> review, use, disclosure or distribution of this email or any file
> attachments is strictly prohibited.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list