TACACS on 4431 Management Interface

Getting TACACs working via the Cisco 4431 Management interface threw up a few issues and took a few tweaks. The final issue I found was that referencing all servers with the tacacs+ keyword doesn’t work, you have to reference the TACACS group with the servers defined within it.

Below is a working configuration example for TACACs via the management port in the Mgmt-intf vrf. I’ve also included a non-exhaustive couple of examples to get a few other things working.

! Mgmt interface config
!
interface GigabitEthernet0
 description ** Mgmt intf **
 vrf forwarding Mgmt-intf
 ip address 192.168.0.1 255.255.255.0
 negotiation auto
!
!
! Default route for Management VRF
!
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.0.254
!
!
! Define source interface at global level
!
ip tacacs source-interface GigabitEthernet0
!
! aaa config
!
aaa new-model
!
!
! Server-private restricts only within this VRF.
! VRF forwarding and source interface need to be configured
! within the aaa group context too.
!
aaa group server tacacs+ TACACS
 server-private 10.0.0.100 key MYKEY
 server-private 10.0.1.100 key MYKEY
 ip vrf forwarding Mgmt-intf
 ip tacacs source-interface GigabitEthernet0
!
! Fail to enable password if TACACS is not working in this config.
!
aaa authentication login REMOTE_ACCESS group TACACS enable
aaa authentication enable default group TACACS enable
aaa accounting exec REMOTE_ACCESS
 action-type stop-only
 group TACACS
!
aaa accounting commands 15 REMOTE_ACCESS
 action-type stop-only
 group TACACS
!
aaa session-id common
!
!
! Apply to vtys and console if you need to.
!
line vty 0 4
 accounting commands 15 REMOTE_ACCESS
 accounting exec REMOTE_ACCESS
 login authentication REMOTE_ACCESS
line vty 5 15
 accounting commands 15 REMOTE_ACCESS
 accounting exec REMOTE_ACCESS
 login authentication REMOTE_ACCESS

Syslog

logging source-interface GigabitEthernet0 vrf Mgmt-intf
logging host 10.0.0.101 vrf Mgmt-intf

TFTP (auto write after wr mem)

ip tftp source-interface GigabitEthernet0

archive
 path tftp://10.0.0.101/configs/$h-
 write-memory

SNMP Traps

snmp-server trap-source GigabitEthernet0
snmp-server host 10.0.0.101 vrf Mgmt-intf version 2c MYCOMMUNITY
Tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *