Getting TACACs working via the Cisco 4431 Management interface threw up a few issues and took a few tweaks. The final issue I found was that referencing all servers with the tacacs+ keyword doesn’t work, you have to reference the TACACS group with the servers defined within it.
Below is a working configuration example for TACACs via the management port in the Mgmt-intf vrf. I’ve also included a non-exhaustive couple of examples to get a few other things working.
! Mgmt interface config ! interface GigabitEthernet0 description ** Mgmt intf ** vrf forwarding Mgmt-intf ip address 192.168.0.1 255.255.255.0 negotiation auto ! ! ! Default route for Management VRF ! ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.0.254 ! ! ! Define source interface at global level ! ip tacacs source-interface GigabitEthernet0 ! ! aaa config ! aaa new-model ! ! ! Server-private restricts only within this VRF. ! VRF forwarding and source interface need to be configured ! within the aaa group context too. ! aaa group server tacacs+ TACACS server-private 10.0.0.100 key MYKEY server-private 10.0.1.100 key MYKEY ip vrf forwarding Mgmt-intf ip tacacs source-interface GigabitEthernet0 ! ! Fail to enable password if TACACS is not working in this config. ! aaa authentication login REMOTE_ACCESS group TACACS enable aaa authentication enable default group TACACS enable aaa accounting exec REMOTE_ACCESS action-type stop-only group TACACS ! aaa accounting commands 15 REMOTE_ACCESS action-type stop-only group TACACS ! aaa session-id common ! ! ! Apply to vtys and console if you need to. ! line vty 0 4 accounting commands 15 REMOTE_ACCESS accounting exec REMOTE_ACCESS login authentication REMOTE_ACCESS line vty 5 15 accounting commands 15 REMOTE_ACCESS accounting exec REMOTE_ACCESS login authentication REMOTE_ACCESS
logging source-interface GigabitEthernet0 vrf Mgmt-intf logging host 10.0.0.101 vrf Mgmt-intf
TFTP (auto write after wr mem)
ip tftp source-interface GigabitEthernet0 archive path tftp://10.0.0.101/configs/$h- write-memory
snmp-server trap-source GigabitEthernet0 snmp-server host 10.0.0.101 vrf Mgmt-intf version 2c MYCOMMUNITY