[c-nsp] VRF and Tacas

Jurgen Marenda jm at ilk.net
Wed Mar 16 18:03:13 EDT 2011


> If I remember right under the tacacs server configuration you 
> need to tell
> it to use the vrf.  This might be under the server group also.

Like this (on 876W):

!
aaa new-model
aaa authentication login default group custaaa local-case
aaa authentication enable default group custaaa enable
aaa authentication ppp default local-case
aaa authentication dot1x default group rad-dotx local-case
aaa authorization exec default group custaaa local if-authenticated
aaa accounting dot1x default start-stop group rad-dotx
aaa session-id common
!
aaa group server tacacs+ custaaa
 server 10.11.12.13
 ip tacacs source-interface Loopback0
!
aaa group server radius rad-dotx
 server 10.12.13.14 auth-port 1812 acct-port 1813
 server 10.13.14.15 auth-port 1812 acct-port 1813
 ip vrf forwarding pikatchu
!
! somehow redundant but nessessary
tacacs-server host 10.11.12.13
radius-server host 10.12.13.14 auth-port 1812 acct-port 1813 key
winniethepooh
radius-server host 10.13.14.15 auth-port 1812 acct-port 1813 key tiggerandco
!

the "aaa authentication ppp default local-case" is for BRI admin access
with local user/password when DSL is not working 
and therefore the tacacs server is unreachable.

Hope this help's

Juergen.



More information about the cisco-nsp mailing list