[c-nsp] VRF and Tacas
Matthew Melbourne
matt at melbourne.org.uk
Thu Mar 17 10:45:02 EDT 2011
I've found that you need to define the TACACS+ server differently,
when a non-global VRF is in use....
e.g.
aaa group server tacacs+ ACS-MGMT
server <TACACS-SERVER-IP-ADDRESS>
ip vrf forwarding Mgmt-intf
ip tacacs source-interface GigabitEthernet0
!
aaa authentication login default group ACS-MGMT line
(etc)
The tacacs-server commands are still necessary to define timeouts,
shared keys, etc..
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/Management_Ethernet.html#wp1059079
Cheers,
Matt
> Message: 5
> Date: Thu, 17 Mar 2011 08:14:26 -0500
> From: Judith Sanders <jasanders at ptci.com>
> To: "'Ziv Leyes'" <zivl at gilat.net>, "'cisco-nsp at puck.nether.net'"
> <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] VRF and Tacas
> Message-ID:
> <54C97ADB93CF0C45B7665446894E121D02EBD8105D at PTCCEXCHMB.corp.ptci.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Here is my line vty conf...
>
> line vty 0 4
> access-class 103 in vrf-also
> login authentication vty
> transport input telnet ssh
>
> Judith Sanders
> Pioneer?Telephone
> Inside Plant Networking Services
> jasanders at ptci.com 405.375.0645
> "Life is what we make it. Always has been, always will be."
> -?Grandma Moses
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
> Sent: Thursday, March 17, 2011 2:04 AM
> To: 'cisco-nsp at puck.nether.net'
> Subject: Re: [c-nsp] VRF and Tacas
>
> Could you post your line vty configuration?
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Judith Sanders
> Sent: Wednesday, March 16, 2011 10:03 PM
> To: 'cisco-nsp at puck.nether.net'
> Subject: [c-nsp] VRF and Tacas
>
> I am trying to configure my ASR 1006 to use TACACS+ via my vrf interface, which is my gigabitethernet 0 interface. We use this only for management. I can ping the TAC server from my vrf, but it will not authenticate against it. Here is what I have-
>
> interface GigabitEthernet0
> vrf forwarding Mgmt-intf
> ip address 192.x.x.x x.x.x.x
> negotiation auto
>
> aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+
>
> ip tacacs source-interface GigabitEthernet0 tacacs-server host 172.x.x.x tacacs-server host 172.x.x.x tacacs-server directed-request tacacs-server key x.x.x.x
>
> I can ping the TAC server from my vrf- and here are my debugs-I am not successful.
>
>
> Mar 16 14:52:20: TPLUS: processing authentication start request id 606 Mar 16 14:52:20: TPLUS: Authentication start packet created for 606(jasanders) Mar 16 14:52:20: TPLUS: Using server 172.16.1.124 Mar 16 14:52:20: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout Mar 16 14:52:25: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out Mar 16 14:52:25: TPLUS: Choosing next server 172.16.1.134 Mar 16 14:52:25: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout Mar 16 14:52:25: TPLUS(0000025E)/4DB519C0: releasing old socket 0 Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out Mar 16 14:52:30: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up Mar 16 14:52:30: TPLUS(0000025E)/1/4DB519C0: Processing the reply packet Mar 16 14:52:38: TPLUS: Queuing AAA Authentication request 606 for processing Mar 16 14:52:38: TPLUS: processing authentication start request id 606 Mar 16 14:52:38: TPLUS: Authentication start packet created for 606(jasanders) Mar 16 14:52:38!
> : TPLUS: Using server 172.16.1.124 Mar 16 14:52:38: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: Started 5 sec timeout Mar 16 14:52:43: TPLUS(0000025E)/0/NB_WAIT/4DB519C0: timed out Mar 16 14:52:43: TPLUS: Choosing next server 172.16.1.134 Mar 16 14:52:43: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: Started 5 sec timeout Mar 16 14:52:43: TPLUS(0000025E)/4DB519C0: releasing old socket 0 Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out Mar 16 14:52:48: TPLUS(0000025E)/1/NB_WAIT/4DB519C0: timed out, clean up
>
>
>
> Thanks,
> Judith Sanders
> Pioneer Telephone
> Inside Plant Networking Services
> jasanders at ptci.com
More information about the cisco-nsp
mailing list