Posted on May 26, 2021 12:26 am
 |  Asked by Kevin Kelleher
 |  39 views
RESOLVED
0
0
Print Friendly, PDF & Email

I am trying to configure TACACS over a vrf and for some reason no packets are being sent (all of the TACACS counters are zero).  Any ideas what might be wrong?

tacacs-server timeout 2
tacacs-server host 10.136.216.38 key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
tacacs-server host 10.184.103.198 key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa group server tacacs+ group1
server 10.184.103.198 vrf management
!
aaa group server tacacs+ group2
server 10.136.216.38 vrf management
!
aaa authentication login default group group1 group group2 local
aaa authentication enable default group group1 group group2 local
aaa authorization exec default group group1 group group2 local
aaa accounting exec default start-stop group group1 group group2
aaa accounting commands 15 default start-stop group group1 group group2

vrf definition management
rd 1:1

interface Management1
vrf forwarding management
ip address 10.11.5.21/26
!
ip route vrf management 0.0.0.0/0 10.11.5.1
ip routing vrf management
!
ip tacacs vrf management source-interface Management1

switch1#show tacacs
TACACS+ server : 10.136.216.38/49
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0

TACACS+ server : 10.184.103.198/49
Connection opens: 0
Connection closes: 0
Connection disconnects: 0
Connection failures: 0
Connection timeouts: 0
Messages sent: 0
Messages received: 0
Receive errors: 0
Receive timeouts: 0
Send timeouts: 0
TACACS+ server-group: group1
1: 10.184.103.198/49
TACACS+ server-group: group2
1: 10.136.216.38/49

Last time counters were cleared: never

TACACS+ source-interface: outgoing packets will be sourced with an IP address associated with interface as follows:

VRF source-interface
— —————-
management Management1

 

0
Posted by Tamas Plugor
Answered on May 26, 2021 12:26 am

Hi Kevin,

You'll have to configure tacacs in the vrf as well

so instead of

tacacs-server host 10.136.216.38 key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
tacacs-server host 10.184.103.198 key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX

you'll need

tacacs-server host 10.136.216.38 vrf management key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
tacacs-server host 10.184.103.198 vrf management key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX

 

HTH,

Tamas

Post your Answer

You must be logged in to post an answer.