[c-nsp] VRF and Tacas

Steve Adcock Steve.Adcock at ioko.com
Wed Mar 16 18:04:34 EDT 2011 

Hello Judith,

Please follow the below link which mentions what Chris covered below:-

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/Management_Ethernet.html#wp1059079

Hope this helps.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Evans
Sent: 16 March 2011 21:41
To: Judith Sanders
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRF and Tacas

If I remember right under the tacacs server configuration you need to tell
it to use the vrf.  This might be under the server group also.
On Mar 16, 2011 5:34 PM, "Judith Sanders" <jasanders at ptci.com> wrote:
> I am trying to configure my ASR 1006 to use TACACS+ via my vrf interface,
which is my gigabitethernet 0 interface. We use this only for management. I
can ping the TAC server from my vrf, but it will not authenticate against
it. Here is what I have-
>
> interface GigabitEthernet0
> vrf forwarding Mgmt-intf
> ip address 192.x.x.x x.x.x.x
> negotiation auto
>
> aaa authentication login default group tacacs+ local
> aaa authorization exec default group tacacs+ if-authenticated
> aaa accounting exec default start-stop group tacacs+
> aaa accounting commands 0 default start-stop group tacacs+
> aaa accounting commands 1 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting connection default start-stop group tacacs+
>
> ip tacacs source-interface GigabitEthernet0
> tacacs-server host 172.x.x.x
> tacacs-server host 172.x.x.x
> tacacs-server directed-request
> tacacs-server key x.x.x.x
>
> I can ping the TAC server from my vrf- and here are my debugs-I am not
successful.
>
>
> Mar 16 14:52:20: TPLUS: processing authentication start request id 606
> Mar 16 14:52:20: TPLUS: Authentication start packet created for
606(jasanders)
> Mar 16 14:52:20: TPLUS: Using server 172.16.1.124
> Mar 16 14:52:20: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:25: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:25: TPLUS: Choosing next server 172.16.1.134
> Mar 16 14:52:25: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:25: TPLUS(0000025E)/4DB519C0: releasing old socket 0
> Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up
> Mar 16 14:52:30: TPLUS(0000025E)/1/4DB519C0: Processing the reply packet
> Mar 16 14:52:38: TPLUS: Queuing AAA Authentication request 606 for
processing
> Mar 16 14:52:38: TPLUS: processing authentication start request id 606
> Mar 16 14:52:38: TPLUS: Authentication start packet created for
606(jasanders)
> Mar 16 14:52:38: TPLUS: Using server 172.16.1.124
> Mar 16 14:52:38: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:43: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:43: TPLUS: Choosing next server 172.16.1.134
> Mar 16 14:52:43: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout
> Mar 16 14:52:43: TPLUS(0000025E)/4DB519C0: releasing old socket 0
> Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out
> Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up
>
>
>
> Thanks,
> Judith Sanders
> Pioneer Telephone
> Inside Plant Networking Services
> jasanders at ptci.com
>
>
>
>
> ***************************
> This email message and any files transmitted with it are intended solely
> for the use of the individual or entity for whom it is addressed. It
> may contain confidential and privileged information. If you are not the
> intended recipient, please contact the sender and destroy all paper and
> electronic copies of this message and its contents. Any unauthorized
> review, use, disclosure or distribution of this email or any file
> attachments is strictly prohibited.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. ioko365 Limited does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses.

More information about the cisco-nsp mailing list